Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NoERE2024000013833.exe

Overview

General Information

Sample name:NoERE2024000013833.exe
Analysis ID:1546202
MD5:fcd3727d56f9e69be13c397a22b8843e
SHA1:928a3ac26dc99383b21c5fa071e4d245b0ca11fc
SHA256:d36e88ce588046e6ebb2f893aa7bb910ae99be757e8d879f820fc8188b0d79c1
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • NoERE2024000013833.exe (PID: 2004 cmdline: "C:\Users\user\Desktop\NoERE2024000013833.exe" MD5: FCD3727D56F9E69BE13C397A22B8843E)
    • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • InstallUtil.exe (PID: 404 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • InstallUtil.exe (PID: 2044 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • WerFault.exe (PID: 2084 cmdline: C:\Windows\system32\WerFault.exe -u -p 2004 -s 1036 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alhoneycomb.com", "Username": "blog@alhoneycomb.com", "Password": "          WORTHwill3611!           "}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000002.00000002.4120836178.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.4120836178.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1885047529.000002621D259000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1885047529.000002621D259000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.NoERE2024000013833.exe.2621d2d3b88.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.NoERE2024000013833.exe.2621d2d3b88.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.NoERE2024000013833.exe.2621d2d3b88.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x339aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x33a1c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33aa6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33b38:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x33ba2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33c14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x33caa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x33d3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 10 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 74.119.238.7, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 404, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T16:18:15.932722+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449740TCP
                      2024-10-31T16:18:53.588043+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449744TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T16:18:06.266393+010020301711A Network Trojan was detected192.168.2.44973474.119.238.7587TCP
                      2024-10-31T16:18:09.199310+010020301711A Network Trojan was detected192.168.2.44973774.119.238.7587TCP
                      2024-10-31T16:19:36.572721+010020301711A Network Trojan was detected192.168.2.44992874.119.238.7587TCP
                      2024-10-31T16:19:47.550104+010020301711A Network Trojan was detected192.168.2.44997174.119.238.7587TCP
                      2024-10-31T16:19:49.981170+010020301711A Network Trojan was detected192.168.2.44997874.119.238.7587TCP
                      2024-10-31T16:19:51.657687+010020301711A Network Trojan was detected192.168.2.44998574.119.238.7587TCP
                      2024-10-31T16:20:15.887144+010020301711A Network Trojan was detected192.168.2.45001474.119.238.7587TCP
                      2024-10-31T16:20:33.087424+010020301711A Network Trojan was detected192.168.2.45001574.119.238.7587TCP
                      2024-10-31T16:20:53.473188+010020301711A Network Trojan was detected192.168.2.45001674.119.238.7587TCP
                      2024-10-31T16:20:56.730866+010020301711A Network Trojan was detected192.168.2.45001774.119.238.7587TCP
                      2024-10-31T16:21:44.874890+010020301711A Network Trojan was detected192.168.2.45001974.119.238.7587TCP
                      2024-10-31T16:21:59.570878+010020301711A Network Trojan was detected192.168.2.45002174.119.238.7587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T16:18:05.699966+010028555421A Network Trojan was detected192.168.2.44973474.119.238.7587TCP
                      2024-10-31T16:18:08.968325+010028555421A Network Trojan was detected192.168.2.44973774.119.238.7587TCP
                      2024-10-31T16:19:36.566245+010028555421A Network Trojan was detected192.168.2.44992874.119.238.7587TCP
                      2024-10-31T16:19:47.543273+010028555421A Network Trojan was detected192.168.2.44997174.119.238.7587TCP
                      2024-10-31T16:19:49.962198+010028555421A Network Trojan was detected192.168.2.44997874.119.238.7587TCP
                      2024-10-31T16:19:51.650871+010028555421A Network Trojan was detected192.168.2.44998574.119.238.7587TCP
                      2024-10-31T16:20:15.870251+010028555421A Network Trojan was detected192.168.2.45001474.119.238.7587TCP
                      2024-10-31T16:20:33.079223+010028555421A Network Trojan was detected192.168.2.45001574.119.238.7587TCP
                      2024-10-31T16:20:53.465102+010028555421A Network Trojan was detected192.168.2.45001674.119.238.7587TCP
                      2024-10-31T16:20:56.722808+010028555421A Network Trojan was detected192.168.2.45001774.119.238.7587TCP
                      2024-10-31T16:21:44.868302+010028555421A Network Trojan was detected192.168.2.45001974.119.238.7587TCP
                      2024-10-31T16:21:59.564489+010028555421A Network Trojan was detected192.168.2.45002174.119.238.7587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T16:18:05.699966+010028552451A Network Trojan was detected192.168.2.44973474.119.238.7587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T16:18:06.266393+010028397231Malware Command and Control Activity Detected192.168.2.44973474.119.238.7587TCP
                      2024-10-31T16:18:09.199310+010028397231Malware Command and Control Activity Detected192.168.2.44973774.119.238.7587TCP
                      2024-10-31T16:19:36.572721+010028397231Malware Command and Control Activity Detected192.168.2.44992874.119.238.7587TCP
                      2024-10-31T16:19:47.550104+010028397231Malware Command and Control Activity Detected192.168.2.44997174.119.238.7587TCP
                      2024-10-31T16:19:49.981170+010028397231Malware Command and Control Activity Detected192.168.2.44997874.119.238.7587TCP
                      2024-10-31T16:19:51.657687+010028397231Malware Command and Control Activity Detected192.168.2.44998574.119.238.7587TCP
                      2024-10-31T16:20:15.887144+010028397231Malware Command and Control Activity Detected192.168.2.45001474.119.238.7587TCP
                      2024-10-31T16:20:33.087424+010028397231Malware Command and Control Activity Detected192.168.2.45001574.119.238.7587TCP
                      2024-10-31T16:20:53.473188+010028397231Malware Command and Control Activity Detected192.168.2.45001674.119.238.7587TCP
                      2024-10-31T16:20:56.730866+010028397231Malware Command and Control Activity Detected192.168.2.45001774.119.238.7587TCP
                      2024-10-31T16:21:44.874890+010028397231Malware Command and Control Activity Detected192.168.2.45001974.119.238.7587TCP
                      2024-10-31T16:21:59.570878+010028397231Malware Command and Control Activity Detected192.168.2.45002174.119.238.7587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T16:18:06.266393+010028400321A Network Trojan was detected192.168.2.44973474.119.238.7587TCP
                      2024-10-31T16:18:09.199310+010028400321A Network Trojan was detected192.168.2.44973774.119.238.7587TCP
                      2024-10-31T16:19:36.572721+010028400321A Network Trojan was detected192.168.2.44992874.119.238.7587TCP
                      2024-10-31T16:19:47.550104+010028400321A Network Trojan was detected192.168.2.44997174.119.238.7587TCP
                      2024-10-31T16:19:49.981170+010028400321A Network Trojan was detected192.168.2.44997874.119.238.7587TCP
                      2024-10-31T16:19:51.657687+010028400321A Network Trojan was detected192.168.2.44998574.119.238.7587TCP
                      2024-10-31T16:20:15.887144+010028400321A Network Trojan was detected192.168.2.45001474.119.238.7587TCP
                      2024-10-31T16:20:33.087424+010028400321A Network Trojan was detected192.168.2.45001574.119.238.7587TCP
                      2024-10-31T16:20:53.473188+010028400321A Network Trojan was detected192.168.2.45001674.119.238.7587TCP
                      2024-10-31T16:20:56.730866+010028400321A Network Trojan was detected192.168.2.45001774.119.238.7587TCP
                      2024-10-31T16:21:44.874890+010028400321A Network Trojan was detected192.168.2.45001974.119.238.7587TCP
                      2024-10-31T16:21:59.570878+010028400321A Network Trojan was detected192.168.2.45002174.119.238.7587TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 2.2.InstallUtil.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alhoneycomb.com", "Username": "blog@alhoneycomb.com", "Password": " WORTHwill3611! "}
                      Multi AV Scanner detection for submitted file
                      Source: NoERE2024000013833.exeReversingLabs: Detection: 31%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: NoERE2024000013833.exeJoe Sandbox ML: detected

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NoERE2024000013833.exe PID: 2004, type: MEMORYSTR
                      Source: NoERE2024000013833.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.ni.pdbRSDS source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.Core.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb- source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.ni.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.Core.ni.pdb source: WER8720.tmp.dmp.6.dr

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49737 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49737 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49737 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49737 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49734 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49734 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49734 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49734 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49734 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49928 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49928 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49928 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49928 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49985 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49978 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49971 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49985 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49985 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49985 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49971 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49978 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49971 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49978 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49971 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49978 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:50014 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:50015 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:50019 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:50021 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:50016 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:50019 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:50015 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:50019 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:50019 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:50021 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:50021 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:50015 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:50021 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:50015 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:50014 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:50014 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:50014 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:50016 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:50016 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:50016 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:50017 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:50017 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:50017 -> 74.119.238.7:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:50017 -> 74.119.238.7:587
                      Source: global trafficTCP traffic: 192.168.2.4:49734 -> 74.119.238.7:587
                      Source: Joe Sandbox ViewIP Address: 74.119.238.7 74.119.238.7
                      Source: Joe Sandbox ViewASN Name: VPLSNETUS VPLSNETUS
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49740
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49744
                      Source: global trafficTCP traffic: 192.168.2.4:49734 -> 74.119.238.7:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: mail.alhoneycomb.com
                      Source: InstallUtil.exe, 00000002.00000002.4123322438.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000003053000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.alhoneycomb.com
                      Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                      Source: NoERE2024000013833.exe, 00000000.00000002.1885047529.000002621D259000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4120836178.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, SKTzxzsJw.cs.Net Code: GhwkGV1Ll50
                      Source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.raw.unpack, SKTzxzsJw.cs.Net Code: GhwkGV1Ll50
                      Installs a global keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B87CB610_2_00007FFD9B87CB61
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B8750F10_2_00007FFD9B8750F1
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B8708B50_2_00007FFD9B8708B5
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B88576F0_2_00007FFD9B88576F
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B87BF140_2_00007FFD9B87BF14
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B87C6D90_2_00007FFD9B87C6D9
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B87F4E50_2_00007FFD9B87F4E5
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B8795300_2_00007FFD9B879530
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B8711F20_2_00007FFD9B8711F2
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B88107C0_2_00007FFD9B88107C
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B8857BC0_2_00007FFD9B8857BC
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B9400500_2_00007FFD9B940050
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_011500062_2_01150006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_011500402_2_01150040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_02AF43302_2_02AF4330
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_02AF4C002_2_02AF4C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_02AF3FE82_2_02AF3FE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_02AFBF202_2_02AFBF20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_02AFBF122_2_02AFBF12
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06286E502_2_06286E50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0628BF382_2_0628BF38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0628A7A82_2_0628A7A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062807F82_2_062807F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06283B382_2_06283B38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0628F3EF2_2_0628F3EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06289A8B2_2_06289A8B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0628B8582_2_0628B858
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062C46B82_2_062C46B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062C9CAC2_2_062C9CAC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062C26F02_2_062C26F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062CB5512_2_062CB551
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062C9CA02_2_062C9CA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062C7CC02_2_062C7CC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06749B892_2_06749B89
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06744BA02_2_06744BA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_067439202_2_06743920
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2004 -s 1036
                      Source: NoERE2024000013833.exeStatic PE information: No import functions for PE file found
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884538117.000002620C990000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUtowipujilozizifena0 vs NoERE2024000013833.exe
                      Source: NoERE2024000013833.exe, 00000000.00000002.1885047529.000002621D259000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb17b300f-3107-4f0e-bd36-73672dc506a5.exe4 vs NoERE2024000013833.exe
                      Source: NoERE2024000013833.exe, 00000000.00000000.1658635757.000002620ADA6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFuckingShit.exe8 vs NoERE2024000013833.exe
                      Source: NoERE2024000013833.exeBinary or memory string: OriginalFilenameFuckingShit.exe8 vs NoERE2024000013833.exe
                      Source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: NoERE2024000013833.exe, ----.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@7/5@1/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2004
                      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\da0b6137-ac40-4635-a4ba-2761987917a1Jump to behavior
                      Source: NoERE2024000013833.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: NoERE2024000013833.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: NoERE2024000013833.exeReversingLabs: Detection: 31%
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeFile read: C:\Users\user\Desktop\NoERE2024000013833.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\NoERE2024000013833.exe "C:\Users\user\Desktop\NoERE2024000013833.exe"
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2004 -s 1036
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: NoERE2024000013833.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: NoERE2024000013833.exeStatic file information: File size 3596943 > 1048576
                      Source: NoERE2024000013833.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: NoERE2024000013833.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.ni.pdbRSDS source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.Core.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb- source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.ni.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER8720.tmp.dmp.6.dr
                      Source: Binary string: System.Core.ni.pdb source: WER8720.tmp.dmp.6.dr
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B877963 push ebx; retf 0_2_00007FFD9B87796A
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B877960 push ebx; retf 0_2_00007FFD9B87796A
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B8768B9 push ebp; retn 0008h0_2_00007FFD9B8768BA
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B8768CC push esp; retn 0008h0_2_00007FFD9B8768CD
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B870814 pushad ; ret 0_2_00007FFD9B870821
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeCode function: 0_2_00007FFD9B940050 push esp; retf 4810h0_2_00007FFD9B940312
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062CC0B0 push es; ret 2_2_062CC0C0
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: NoERE2024000013833.exe PID: 2004, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeMemory allocated: 2620B0D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeMemory allocated: 26224A50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2CB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7373Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2467Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -200000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99765s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99546s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99437s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99218s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99109s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98999s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98890s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98780s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98671s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98562s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98452s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98336s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98218s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98098s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97968s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97660s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97540s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97359s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97250s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97137s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99890s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99781s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99672s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99562s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99453s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99344s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99233s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99119s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -99014s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98905s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98796s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98687s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98578s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98469s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98359s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98250s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98139s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -98031s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97922s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97812s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97703s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97594s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97484s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97375s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5480Thread sleep time: -97265s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99765Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99546Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99218Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98999Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98780Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98671Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98562Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98452Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98336Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98218Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98098Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97968Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97660Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97540Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97250Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97137Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99781Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99672Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99562Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99453Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99344Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99233Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99119Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99014Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98905Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98796Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98469Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98250Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98139Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97922Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97812Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97703Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97594Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97484Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97265Jump to behavior
                      Source: Amcache.hve.6.drBinary or memory string: VMware
                      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                      Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: InstallUtil.exe, 00000002.00000002.4129065646.0000000006067000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: NoERE2024000013833.exe, 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      .NET source code references suspicious native API functions
                      Source: NoERE2024000013833.exe, ----.csReference to suspicious API methods: GetProcAddress(_320E_A9B4_322A, _31CA_A9B4_31C8_3197_322E)
                      Source: NoERE2024000013833.exe, ----.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer<_D7FE_3201>(GetProcAddress(LoadLibrary(_A9B7_31DB_320B_3197[2]), _A9B7_31DB_320B_3197[3]))
                      Source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, zOS.csReference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000Jump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 442000Jump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: BDB008Jump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeQueries volume information: C:\Users\user\Desktop\NoERE2024000013833.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\NoERE2024000013833.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d296b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.4120836178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1885047529.000002621D259000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4123322438.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NoERE2024000013833.exe PID: 2004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 404, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d296b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.4120836178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1885047529.000002621D259000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4123322438.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NoERE2024000013833.exe PID: 2004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 404, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d2d3b88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d296b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.NoERE2024000013833.exe.2621d296b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.4120836178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1885047529.000002621D259000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4123322438.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NoERE2024000013833.exe PID: 2004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 404, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		311
                      Process Injection                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		151
                      Virtualization/Sandbox Evasion                      		21
                      Input Capture                      		1
                      Process Discovery                      		Remote Desktop Protocol21
                      Input Capture                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                      Process Injection                      		1
                      Credentials in Registry                      		151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares11
                      Archive Collected Data                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object Model2
                      Data from Local System                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSH1
                      Clipboard Data                      		Fallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials24
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      NoERE2024000013833.exe32%ReversingLabsWin64.Trojan.Generic
                      NoERE2024000013833.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://upx.sf.net0%URL Reputationsafe
                      https://account.dyn.com/0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.alhoneycomb.com
                      		74.119.238.7
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://upx.sf.netAmcache.hve.6.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/NoERE2024000013833.exe, 00000000.00000002.1885047529.000002621D259000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4120836178.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://mail.alhoneycomb.comInstallUtil.exe, 00000002.00000002.4123322438.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.0000000003053000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4123322438.000000000318C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          74.119.238.7
                          		mail.alhoneycomb.comUnited States
                          		35908VPLSNETUStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1546202
                          Start date and time:2024-10-31 16:17:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 34s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:11
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:NoERE2024000013833.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.expl.evad.winEXE@7/5@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 94%
                          • Number of executed functions: 107
                          • Number of non-executed functions: 7
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 52.182.143.212
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • VT rate limit hit for: NoERE2024000013833.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          11:18:02API Interceptor10671733x Sleep call for process: InstallUtil.exe modified
                          11:18:18API Interceptor1x Sleep call for process: WerFault.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          74.119.238.71863415243647.exeGet hashmaliciousAgentTeslaBrowse
                            Halkbank_Ekstre_20230426_075819_154085.exeGet hashmaliciousAgentTeslaBrowse
                              hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                  rPO_CW00402902400415.exeGet hashmaliciousAgentTeslaBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    mail.alhoneycomb.com1863415243647.exeGet hashmaliciousAgentTeslaBrowse
                                    • 74.119.238.7
                                    Halkbank_Ekstre_20230426_075819_154085.exeGet hashmaliciousAgentTeslaBrowse
                                    • 74.119.238.7
                                    hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                    • 74.119.238.7
                                    New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                    • 74.119.238.7
                                    rPO_CW00402902400415.exeGet hashmaliciousAgentTeslaBrowse
                                    • 74.119.238.7

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    VPLSNETUSbin.sh.elfGet hashmaliciousMiraiBrowse
                                    • 174.139.206.51
                                    arm7.elfGet hashmaliciousUnknownBrowse
                                    • 98.126.6.24
                                    mpsl.elfGet hashmaliciousUnknownBrowse
                                    • 174.139.231.14
                                    la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                    • 174.139.68.183
                                    1863415243647.exeGet hashmaliciousAgentTeslaBrowse
                                    • 74.119.238.7
                                    Halkbank_Ekstre_20230426_075819_154085.exeGet hashmaliciousAgentTeslaBrowse
                                    • 74.119.238.7
                                    hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                    • 74.119.238.7
                                    la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                    • 174.139.218.86
                                    na.elfGet hashmaliciousMiraiBrowse
                                    • 98.126.6.38
                                    New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                    • 74.119.238.7

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NoERE20240000138_63a7ade33fcf8e6782cf4f395bc29799fa92023_992c1a96_9a37bb2c-84d5-4845-8954-bb1a9aef85a6\Report.wer

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):0.9932461349061201
                                    Encrypted:false
                                    SSDEEP:192:vbj6y9PO50UnUVaWBHpgXzuiFGZ24lO8iy3:X6WPjUnUVamHeXzuiFGY4lO8iU
                                    MD5:5EC5E245890469DF39F49673454CCCB7
                                    SHA1:74DE4AF62F52133CE1EE8216F03FD99104E44585
                                    SHA-256:89425EB36EE10CA5D0E68DE34A86C818474E56E8D1F05EDDC64457996A27336B
                                    SHA-512:2EF14DDF94B24F928C0637C858741AADF3757B0DD6D6E6E00CD559D4507707187F3CE5E382ECC47F486F3881A06064BACCB488CE2ADFC4D0A6E4E8BB417CBB47
                                    Malicious:false
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.6.1.4.7.8.7.9.8.1.0.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.6.1.4.7.9.3.4.4.9.8.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.3.7.b.b.2.c.-.8.4.d.5.-.4.8.4.5.-.8.9.5.4.-.b.b.1.a.9.a.e.f.8.5.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.a.e.6.c.0.7.-.8.4.1.1.-.4.6.a.7.-.8.a.9.3.-.e.e.8.e.7.5.c.5.b.2.8.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.N.o.E.R.E.2.0.2.4.0.0.0.0.1.3.8.3.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.F.u.c.k.i.n.g.S.h.i.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.d.4.-.0.0.0.1.-.0.0.1.4.-.a.e.b.a.-.1.b.1.0.a.8.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.3.7.a.6.c.6.3.8.f.5.6.b.c.f.2.3.e.8.5.7.0.f.c.8.f.1.1.f.3.3.0.0.0.0.0.0.0.0.!.0.0.0.0.9.2.8.a.3.a.c.2.6.d.c.9.9.3.8.3.b.2.1.c.5.f.a.0.7.1.e.4.d.2.4.5.b.0.c.a.1.1.f.c.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8720.tmp.dmp

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:Mini DuMP crash report, 16 streams, Thu Oct 31 15:17:59 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):387163
                                    Entropy (8bit):3.295704502732141
                                    Encrypted:false
                                    SSDEEP:3072:V/E+jM43gVpW31psAdE4qjcSgi1CCqQRHb3+vw0ll5:V/E+A6EW3Cn37qQRHb3Q
                                    MD5:48060F58B2BEEEE8C20B2D0580C6A44F
                                    SHA1:C5E0F40BE0AEEDB158C9A46C1984CA2B9B48CA87
                                    SHA-256:C5D87F1507BEC3CEC95600543FAE14991BA6FAE9C2A7F1E4EE385F64FFE46A80
                                    SHA-512:5024BEF1B3C79A3BB5393E233F71CB15A8F907B82C70671F5286691163A9D2833B2F3078E4B9DAD39B075086BEB70178C22A92293E952B9EA7C3208661E63201
                                    Malicious:false
                                    Reputation:low
                                    Preview:MDMP..a..... .........#g....................................$...........d...(.......tF...u..........l.......8...........T............(...............8..........x:..............................................................................eJ.......;......Lw......................T.............#g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8888.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8630
                                    Entropy (8bit):3.7090208150508963
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJY1Db6Y9BacJgmfx6J/prp89bLb4fw45m:R6lXJub6YracJgmfxi0L0fU
                                    MD5:58A8C4531AC384BD0F841887EE634B14
                                    SHA1:F739EF9A2F48F2B9AC950DFB4DA499D58017FF5D
                                    SHA-256:C12EA758FBA5EF9504F61717645333E01A2D67A48A716FBFC788F26D03DC9F40
                                    SHA-512:96D743039E3E47FC83DB29D3C5D8B7AAC9882142602E93E82C9E6122D9159AF554936C3B14F41CEB87892B40ADDF5AACF90C200264E49EA91127C74CCA88D664
                                    Malicious:false
                                    Reputation:low
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.0.4.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER88B8.tmp.xml

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4799
                                    Entropy (8bit):4.525115378505152
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsLJg771I9PkWpW8VYkYm8M4JMAFMyq85CLmwUpd:uIjflI7o97VsJE5tUpd
                                    MD5:C080245CF9010E22E43334BDA40C14B6
                                    SHA1:43548480ED27DD40F82CFDECFC4D79DF6DF6DEC1
                                    SHA-256:D706C443DBBBD9E7BD88A2666EDE8E69A6CC4BF9EC738B06F89B7C5D65CF9508
                                    SHA-512:08BF3E9256D607B9484CCEBF820C20879C345CF2E727F06C129234871B320D408A1D8A869C9816D1828D2195CE4BC376E943F65FF1B2A2127DBA4874C03A4AD5
                                    Malicious:false
                                    Reputation:low
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="567740" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.465752430567172
                                    Encrypted:false
                                    SSDEEP:6144:kIXfpi67eLPU9skLmb0b48WSPKaJG8nAgejZMMhA2gX4WABl0uNldwBCswSbhD:ZXD948WlLZMM6YFHr+h
                                    MD5:A613EEFEF6123EE9CEB85E8648E69968
                                    SHA1:DB1758C004CAB803B8DD6D2B1F40DE01D7715121
                                    SHA-256:8A57E52447EBB1E8C34E807C41818FF2B257DFF54E618288A26A85803B59E318
                                    SHA-512:C00BABA0CA48757FDD05CBF3984561C80E4EC9FAC117C6797E3BEE9E1286BF94DDEA3C5C8EBD0A8EF53B6EF879257B896B647AD450431929A11926DDAA1D5EEF
                                    Malicious:false
                                    Reputation:low
                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....+...............................................................................................................................................................................................................................................................................................................................................i.%........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):4.236772874604311
                                    TrID:
                                    • Win64 Executable Console Net Framework (206006/5) 48.58%
                                    • Win64 Executable Console (202006/5) 47.64%
                                    • Win64 Executable (generic) (12005/4) 2.83%
                                    • Generic Win/DOS Executable (2004/3) 0.47%
                                    • DOS Executable Generic (2002/1) 0.47%
                                    File name:NoERE2024000013833.exe
                                    File size:3'596'943 bytes
                                    MD5:fcd3727d56f9e69be13c397a22b8843e
                                    SHA1:928a3ac26dc99383b21c5fa071e4d245b0ca11fc
                                    SHA256:d36e88ce588046e6ebb2f893aa7bb910ae99be757e8d879f820fc8188b0d79c1
                                    SHA512:ec09e0dc5621835c31a62a3cdf435ada632f84584c612ee96bc87e62378837ff627059a9b468d114d33588e0b7ecacc14af29a63d8402313017a07ddef6eac13
                                    SSDEEP:12288:xquBeBsQLLzjmEY/5Li5oIUCmItmiFYMjrSpxPmGqQvU0z3H2KGvL:xW25L+0IgiFpiuwHKvL
                                    TLSH:70F512943B972E0BFC6E56B4C0D232F280FE5D1379F6869FCF456CA502969BC2242578
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f#g.........."...0..(............... ....@...... ....................................`................................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x400000
                                    Entrypoint Section:
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows cui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x672366A9 [Thu Oct 31 11:14:49 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:

                                    Entrypoint Preview

                                    Instruction
                                    dec ebp
                                    pop edx
                                    nop
                                    add byte ptr [ebx], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax+eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x5f6.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x484e0x1c.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x28ee0x2a0024199f46333ad2965bad19322cae93d6False0.6167224702380952data6.234249124640782IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x60000x5f60x600c49dc9dc5c1b1149f6f38bdcafe82caaFalse0.4166666666666667data4.214703724660371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0x60a00x36cdata0.3938356164383562
                                    RT_MANIFEST0x640c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-31T16:18:05.699966+01002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.44973474.119.238.7587TCP
                                    2024-10-31T16:18:05.699966+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.44973474.119.238.7587TCP
                                    2024-10-31T16:18:06.266393+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.44973474.119.238.7587TCP
                                    2024-10-31T16:18:06.266393+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.44973474.119.238.7587TCP
                                    2024-10-31T16:18:06.266393+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.44973474.119.238.7587TCP
                                    2024-10-31T16:18:08.968325+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.44973774.119.238.7587TCP
                                    2024-10-31T16:18:09.199310+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.44973774.119.238.7587TCP
                                    2024-10-31T16:18:09.199310+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.44973774.119.238.7587TCP
                                    2024-10-31T16:18:09.199310+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.44973774.119.238.7587TCP
                                    2024-10-31T16:18:15.932722+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449740TCP
                                    2024-10-31T16:18:53.588043+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449744TCP
                                    2024-10-31T16:19:36.566245+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.44992874.119.238.7587TCP
                                    2024-10-31T16:19:36.572721+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.44992874.119.238.7587TCP
                                    2024-10-31T16:19:36.572721+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.44992874.119.238.7587TCP
                                    2024-10-31T16:19:36.572721+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.44992874.119.238.7587TCP
                                    2024-10-31T16:19:47.543273+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.44997174.119.238.7587TCP
                                    2024-10-31T16:19:47.550104+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.44997174.119.238.7587TCP
                                    2024-10-31T16:19:47.550104+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.44997174.119.238.7587TCP
                                    2024-10-31T16:19:47.550104+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.44997174.119.238.7587TCP
                                    2024-10-31T16:19:49.962198+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.44997874.119.238.7587TCP
                                    2024-10-31T16:19:49.981170+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.44997874.119.238.7587TCP
                                    2024-10-31T16:19:49.981170+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.44997874.119.238.7587TCP
                                    2024-10-31T16:19:49.981170+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.44997874.119.238.7587TCP
                                    2024-10-31T16:19:51.650871+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.44998574.119.238.7587TCP
                                    2024-10-31T16:19:51.657687+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.44998574.119.238.7587TCP
                                    2024-10-31T16:19:51.657687+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.44998574.119.238.7587TCP
                                    2024-10-31T16:19:51.657687+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.44998574.119.238.7587TCP
                                    2024-10-31T16:20:15.870251+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.45001474.119.238.7587TCP
                                    2024-10-31T16:20:15.887144+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.45001474.119.238.7587TCP
                                    2024-10-31T16:20:15.887144+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.45001474.119.238.7587TCP
                                    2024-10-31T16:20:15.887144+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.45001474.119.238.7587TCP
                                    2024-10-31T16:20:33.079223+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.45001574.119.238.7587TCP
                                    2024-10-31T16:20:33.087424+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.45001574.119.238.7587TCP
                                    2024-10-31T16:20:33.087424+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.45001574.119.238.7587TCP
                                    2024-10-31T16:20:33.087424+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.45001574.119.238.7587TCP
                                    2024-10-31T16:20:53.465102+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.45001674.119.238.7587TCP
                                    2024-10-31T16:20:53.473188+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.45001674.119.238.7587TCP
                                    2024-10-31T16:20:53.473188+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.45001674.119.238.7587TCP
                                    2024-10-31T16:20:53.473188+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.45001674.119.238.7587TCP
                                    2024-10-31T16:20:56.722808+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.45001774.119.238.7587TCP
                                    2024-10-31T16:20:56.730866+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.45001774.119.238.7587TCP
                                    2024-10-31T16:20:56.730866+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.45001774.119.238.7587TCP
                                    2024-10-31T16:20:56.730866+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.45001774.119.238.7587TCP
                                    2024-10-31T16:21:44.868302+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.45001974.119.238.7587TCP
                                    2024-10-31T16:21:44.874890+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.45001974.119.238.7587TCP
                                    2024-10-31T16:21:44.874890+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.45001974.119.238.7587TCP
                                    2024-10-31T16:21:44.874890+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.45001974.119.238.7587TCP
                                    2024-10-31T16:21:59.564489+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.45002174.119.238.7587TCP
                                    2024-10-31T16:21:59.570878+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.45002174.119.238.7587TCP
                                    2024-10-31T16:21:59.570878+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.45002174.119.238.7587TCP
                                    2024-10-31T16:21:59.570878+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.45002174.119.238.7587TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 31, 2024 16:18:03.253041983 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:03.259742022 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:03.259830952 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:04.470115900 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:04.480895996 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:04.486460924 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:04.645661116 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:04.646835089 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:04.655706882 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:04.800005913 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:04.804245949 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:04.809015036 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.144268990 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.184948921 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:05.189750910 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.351702929 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.366583109 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:05.371413946 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.535995960 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.536242008 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:05.541055918 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.698997021 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.699872017 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:05.699965954 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:05.700009108 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:05.700038910 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:05.704683065 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.704694033 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.704873085 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.704885006 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.857727051 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:05.902436018 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:05.908706903 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:05.913686037 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:06.266205072 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:06.266392946 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:06.267671108 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:06.271636963 CET5874973474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:06.271827936 CET49734587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:06.272991896 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:06.273082972 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:06.962619066 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:06.962841034 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:06.968152046 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.159893990 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.160104990 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.177380085 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.177438974 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.178266048 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.178308010 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.179115057 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.179150105 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.179161072 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.317024946 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.317230940 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.323467970 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.475339890 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.475465059 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.480357885 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.639945030 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.640073061 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.644887924 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.811012983 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.811247110 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.816067934 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.966856956 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.968254089 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.968298912 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.968324900 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.968353033 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.968462944 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.968512058 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.968542099 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.968556881 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.968581915 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:18:08.973288059 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.973295927 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.973412991 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.973558903 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.973572016 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.973579884 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.973629951 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:08.973838091 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:09.147162914 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:18:09.199310064 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:34.416914940 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:34.421885967 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:34.775343895 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:34.775441885 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:34.776367903 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:34.780706882 CET5874973774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:34.780766964 CET49737587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:34.781152964 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:34.781208038 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:35.478149891 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:35.480988979 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:35.486838102 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:35.643930912 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:35.644318104 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:35.649429083 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:35.805958986 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:35.806173086 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:35.811186075 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.071170092 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.071660042 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.076520920 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.231666088 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.231995106 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.236793041 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.404135942 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.405733109 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.410826921 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.565882921 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.566145897 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.566219091 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.566245079 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.566322088 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.567622900 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.571233988 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.571244955 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.571253061 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.571319103 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.571507931 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.572585106 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.572663069 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.572669029 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.572680950 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.572699070 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.572715044 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.572721004 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.572726965 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.572751045 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.572778940 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.572793007 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.576107979 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.576155901 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.577580929 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.577641010 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.577680111 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.577739954 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.577824116 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.577833891 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.577868938 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.577877045 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.577878952 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.577892065 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.577923059 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.577939034 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.577945948 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.577992916 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.580950975 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.580997944 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.582370996 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.582422018 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.582448959 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.582495928 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.582554102 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.582604885 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.582719088 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.582763910 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:36.582783937 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.582803965 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.582869053 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.582906961 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.582961082 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.582973957 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.582986116 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.583030939 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.583039999 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.583096981 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.583106995 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.583115101 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.583200932 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.585915089 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587117910 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587137938 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587198019 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587207079 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587328911 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587337971 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587357044 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587366104 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587392092 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587435007 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587488890 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587503910 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587596893 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587626934 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587635994 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587713957 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587723017 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587730885 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587747097 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587755919 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587765932 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587775946 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587795973 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587832928 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:36.587842941 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:37.036322117 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:37.090159893 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:45.429310083 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:45.434415102 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:45.857887983 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:45.857920885 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:45.858005047 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:45.861299038 CET49928587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:45.865992069 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:45.866147041 CET5874992874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:45.870892048 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:45.871093988 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:46.582937956 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:46.584023952 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:46.588937998 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:46.740765095 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:46.740955114 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:46.745841026 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:46.897644997 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:46.897901058 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:46.902710915 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.056622982 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.056885958 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.061822891 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.220524073 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.220715046 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.225626945 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.386177063 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.386328936 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.391230106 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.542891026 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.543190002 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.543272972 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.543272972 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.544810057 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.544810057 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.548171997 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.548201084 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.548223019 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.548342943 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.549768925 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.549877882 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.549911976 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.550065041 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.550103903 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.550137043 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.550203085 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.550308943 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.553230047 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.554944992 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.554999113 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.555118084 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.555161953 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.555210114 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.555387020 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.555947065 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.556189060 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.560245991 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.560504913 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.560575008 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.561022043 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.561078072 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.561115980 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.561150074 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.561160088 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.561172009 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.561213970 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.561220884 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.561245918 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.561258078 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.561284065 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.565464973 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.565471888 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566098928 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566118002 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566231966 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566242933 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566248894 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566261053 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566277027 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566288948 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566327095 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566338062 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566404104 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566415071 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566492081 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566576004 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566581011 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566591978 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566615105 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566627026 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566682100 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566694021 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566716909 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566765070 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.566771030 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.952250004 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:47.958897114 CET5874997174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:47.959120035 CET49971587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:48.014801979 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:48.019726992 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:48.019819975 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:48.725155115 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:48.726598978 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:48.731576920 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:48.879946947 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:48.880232096 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:48.885169983 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.313122034 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.314250946 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.314301968 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.331835032 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.336734056 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.489509106 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.490072012 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.494836092 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.643208981 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.643363953 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.648205042 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.806843042 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.806992054 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.811866999 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.961858988 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.962136984 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.962136984 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.962198019 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.962220907 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.963551044 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.967035055 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.967048883 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.967061996 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.967077017 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.967133045 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.968419075 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.968431950 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.968446016 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.968457937 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.968530893 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.968554020 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.972281933 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.981169939 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:49.986253977 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.986351967 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.986476898 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.986490011 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.986540079 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.988204002 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:49.996576071 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.001564026 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.001597881 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.001642942 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.001652002 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.001691103 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.001705885 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.001740932 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.001874924 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.001878977 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.002033949 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002048016 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002079964 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002093077 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002156019 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002254963 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002269030 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002283096 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002325058 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002337933 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002371073 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002383947 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002396107 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002409935 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002423048 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002445936 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002460957 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002474070 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002496958 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.002509117 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007065058 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007088900 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007103920 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007193089 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007205009 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007225990 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007241011 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007255077 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007278919 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007303953 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007324934 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007338047 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007358074 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007365942 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007860899 CET5874997874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.007917881 CET49978587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.033893108 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.038892031 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.038976908 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.678345919 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.678474903 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.683326006 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.835803986 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.835926056 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.840874910 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.993899107 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:50.994069099 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:50.999015093 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.154047012 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.154176950 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.158948898 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.310635090 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.310894966 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.316016912 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.483351946 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.483494043 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.488400936 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.650290966 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.650790930 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.650790930 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.650871038 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.650871038 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.652761936 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.655704975 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.655716896 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.655721903 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.655726910 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.655822992 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.657602072 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.657686949 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.657706976 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.657828093 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.662605047 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.662813902 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.662950993 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.663022995 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.663130045 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.667973995 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668025017 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668107033 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668174028 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668209076 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668226004 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.668291092 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668301105 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668363094 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668401957 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668483019 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668487072 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668518066 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668535948 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668596029 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668601990 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668603897 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668638945 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668642998 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668672085 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668726921 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668740988 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.668745041 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673114061 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673118114 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673141956 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673185110 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673188925 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673228025 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673237085 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673240900 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673260927 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673265934 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673305035 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673327923 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673331976 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673336983 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673367977 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673372984 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673391104 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673422098 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.673425913 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:51.675967932 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:19:51.681224108 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:52.103801966 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:19:52.152674913 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:13.708986044 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:13.713892937 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:14.067080021 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:14.067351103 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:14.068162918 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:14.072510958 CET5874998574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:14.072570086 CET49985587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:14.072943926 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:14.073004961 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:14.773274899 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:14.777765036 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:14.782723904 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:14.934442997 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:14.936115980 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:14.941227913 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.091141939 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.096164942 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.101360083 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.375216007 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.378133059 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.383671045 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.546149969 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.550411940 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.555355072 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.713881969 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.714025021 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.719223022 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.869781971 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.870156050 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.870225906 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.870250940 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.870326042 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.872834921 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.875080109 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.875091076 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.875098944 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.875150919 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.875281096 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.877744913 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.877799988 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.877814054 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.877821922 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.877832890 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.877841949 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.877954960 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.887144089 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.892226934 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.892280102 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.893006086 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.893081903 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.899481058 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.899581909 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:15.904572964 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.904644012 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.904686928 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.904736042 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.904787064 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.904838085 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.904927969 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.904990911 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.904999971 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905047894 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905052900 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905061007 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905203104 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905211926 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905220985 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905230045 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905237913 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905252934 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905332088 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905333996 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905338049 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905339003 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905342102 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905352116 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905360937 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905376911 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905388117 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905461073 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905471087 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905478954 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905587912 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905632973 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:15.905642033 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:16.324552059 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:16.467628002 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:30.909288883 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:30.914236069 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:31.266510963 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:31.266727924 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:31.270100117 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:31.271886110 CET5875001474.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:31.272003889 CET50014587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:31.275063992 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:31.275156021 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:31.953761101 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:31.953902006 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:31.958899021 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:32.110306978 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:32.110446930 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:32.115632057 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:32.423291922 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:32.423507929 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:32.428390026 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:32.580900908 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:32.582299948 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:32.587186098 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:32.737236977 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:32.737931967 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:32.742739916 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:32.913315058 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:32.913691044 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:32.918998957 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.078877926 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.079199076 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.079199076 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.079222918 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.079353094 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.082381964 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.084137917 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.084142923 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.084150076 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.084244967 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.084377050 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.087321043 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.087327003 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.087331057 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.087354898 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.087424040 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.087819099 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.087903023 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.092272043 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.092396021 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.092413902 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.092464924 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.092473984 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.092636108 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.092679024 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.092771053 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.092869997 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.092885971 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.092890024 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.092900038 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.092959881 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.092967987 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.093031883 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.093076944 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.093177080 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.097322941 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.097424984 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.097472906 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.097516060 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.097573996 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.097609997 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.097641945 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.097647905 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.097683907 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.097749949 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.097750902 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:33.097862959 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.097915888 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.097960949 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098062038 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098066092 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098113060 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098225117 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098228931 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098232985 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098243952 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098256111 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098259926 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098396063 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098400116 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098413944 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098432064 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.098437071 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102387905 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102464914 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102469921 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102520943 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102524996 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102535963 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102580070 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102623940 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102674007 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102699041 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102726936 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102854013 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102917910 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102925062 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.102972031 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.103115082 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.103120089 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.103123903 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.103245020 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.526276112 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:33.715512991 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:51.302103996 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:51.307035923 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:51.661803961 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:51.661926985 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:51.662985086 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:51.667896986 CET5875001574.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:51.667917967 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:51.667944908 CET50015587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:51.668006897 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:52.340404034 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:52.348177910 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:52.353123903 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:52.506561041 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:52.509721041 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:52.515758038 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:52.671910048 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:52.672347069 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:52.677522898 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:52.972326040 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:52.976176023 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:52.983505964 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.134902000 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.135101080 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.140074968 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.305529118 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.307244062 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.312293053 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.464618921 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.465007067 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.465101957 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.465101957 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.465101957 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.468106031 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.470099926 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.470118999 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.470122099 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.470136881 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.470206976 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.473092079 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.473161936 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.473166943 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.473187923 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.473303080 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.473309994 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.473315001 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.473352909 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.473423004 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.473449945 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.473563910 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.478183985 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.478303909 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.478312969 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.478424072 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.478557110 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.478720903 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.478792906 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.478799105 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.478825092 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.478892088 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.478967905 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.484019995 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.484178066 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.484291077 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.484424114 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.484441996 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.484523058 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.484539032 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.484565973 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.484589100 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.484594107 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.484637022 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:53.484739065 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.484983921 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485049963 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485126972 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485178947 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485184908 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485280991 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485285997 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485291958 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485337973 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485343933 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485356092 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485361099 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485367060 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.485371113 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.489818096 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.489824057 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.489906073 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.489912033 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.489921093 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.489922047 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.490381002 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.490426064 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.490487099 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.490495920 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.490498066 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.490500927 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.490550041 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.490555048 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.490560055 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.490572929 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.491364956 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.491370916 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.491375923 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.920732975 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:53.965332985 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:54.387208939 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:54.614588976 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:54.965711117 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:54.965888977 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:54.966794014 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:54.972412109 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:54.972599983 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:54.972944021 CET5875001674.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:54.974606037 CET50016587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:55.739991903 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:55.746331930 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:55.751195908 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:55.903584003 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:55.904427052 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:55.909398079 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.067034960 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.067289114 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.075829983 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.229716063 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.229885101 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.234848976 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.387094021 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.387375116 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.392282009 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.565022945 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.565171957 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.570067883 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.722338915 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.722758055 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.722807884 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.722807884 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.722871065 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.725280046 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.727699995 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.727705002 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.727710009 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.727827072 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.727866888 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.730387926 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.730612040 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.730865955 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.735954046 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.736143112 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.736202002 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.736265898 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.736413956 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.741214991 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.741373062 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.741450071 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.741455078 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.741524935 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.741539001 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:20:56.741797924 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746565104 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746644974 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746690989 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746695042 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746705055 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746722937 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746763945 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746768951 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746772051 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746861935 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746865988 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.746870041 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747180939 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747185946 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747189999 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747193098 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747226000 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747236967 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747245073 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747248888 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747257948 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747262001 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:56.747272015 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:57.179287910 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:20:57.230982065 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:41.714152098 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:41.719393969 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:42.072247028 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:42.072514057 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:42.073689938 CET50018587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:42.077995062 CET5875001774.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:42.078181982 CET50017587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:42.078784943 CET5875001874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:42.078952074 CET50018587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:42.793322086 CET5875001874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:42.793497086 CET50018587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:42.798528910 CET5875001874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:42.949953079 CET5875001874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:42.950136900 CET50018587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:42.955713987 CET5875001874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:43.107336998 CET5875001874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:43.107526064 CET50018587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:43.113837957 CET5875001874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:43.137418985 CET50018587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:43.144154072 CET5875001874.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:43.144210100 CET50018587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:43.195619106 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:43.201936960 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:43.202012062 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:43.915477037 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:43.918329000 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:43.923535109 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.072505951 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.074331045 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.079428911 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.228091002 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.228317976 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.234380007 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.384036064 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.386373997 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.392430067 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.540668964 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.540858030 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.546999931 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.711258888 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.714401960 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.719419003 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.867868900 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.868196964 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.868235111 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.868302107 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.868366957 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.869904041 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.873064041 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.873153925 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.873261929 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.873351097 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.873565912 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.874816895 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.874890089 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.874922991 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.874994040 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.875123978 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.875189066 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.879785061 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.879801989 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.879847050 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.879864931 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.879955053 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.879961967 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.880029917 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.880172968 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.880265951 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.880273104 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.880279064 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.880311012 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.880357981 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.880606890 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.880665064 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.885409117 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885421991 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885426998 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885447979 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885452986 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885464907 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885530949 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:44.885772943 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885788918 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885795116 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885925055 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885937929 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.885942936 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.890702963 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.890714884 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.890717030 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.890719891 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891089916 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891096115 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891100883 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891105890 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891122103 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891128063 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891133070 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891138077 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891153097 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891159058 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891171932 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891176939 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891189098 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:44.891194105 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:45.325737953 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:45.371686935 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:56.022187948 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:56.027132988 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:56.376312971 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:56.381066084 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:56.382404089 CET50020587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:56.386491060 CET5875001974.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:56.386671066 CET50019587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:56.387269974 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:56.388113022 CET50020587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:57.112572908 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.112772942 CET50020587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:57.117721081 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.274768114 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.274926901 CET50020587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:57.279839993 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.436788082 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.436996937 CET50020587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:57.441924095 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.612190008 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.612385988 CET50020587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:57.617391109 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.773534060 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.773828030 CET50020587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:57.778587103 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.874377012 CET50020587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:57.879815102 CET5875002074.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.879966021 CET50020587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:57.927902937 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:57.932827950 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:57.933221102 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:58.608536959 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:58.608829021 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:58.613846064 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:58.764866114 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:58.767282009 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:58.772233009 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:58.924272060 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:58.924659014 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:58.929568052 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.082058907 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.082227945 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.087328911 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.241230011 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.241439104 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.246392012 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.408051014 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.408480883 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.413351059 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.564086914 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.564443111 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.564488888 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.564488888 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.564534903 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.565856934 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.569382906 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.569466114 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.569473982 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.569499016 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.569552898 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.570796013 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.570878029 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.570878983 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.570961952 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.571207047 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.571276903 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.575799942 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.575897932 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.576126099 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.576268911 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.576320887 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.576387882 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.580872059 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.581016064 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.581139088 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.581195116 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.581207037 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.581239939 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.581244946 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.581267118 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.581316948 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:21:59.581418991 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.581535101 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.581540108 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.581543922 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.581552982 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.581557035 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.585988045 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.585994959 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586147070 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586255074 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586363077 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586368084 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586371899 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586374998 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586472034 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586498976 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586549044 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586553097 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586558104 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586612940 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586616993 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586621046 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586652994 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586658001 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586672068 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586675882 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586714983 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586719990 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586724043 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586776972 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.586781979 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:21:59.587369919 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:00.012480021 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:00.074857950 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:02.901762962 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:02.906728983 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:03.261152983 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:03.261310101 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:03.262655973 CET50022587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:03.267265081 CET5875002174.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:03.267338037 CET50021587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:03.267518997 CET5875002274.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:03.267589092 CET50022587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:03.954570055 CET5875002274.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:04.028017044 CET50022587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:05.115748882 CET50022587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:05.115823030 CET50022587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:05.120656013 CET5875002274.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:05.121241093 CET5875002274.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:05.121308088 CET50022587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:05.172713041 CET50023587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:05.181597948 CET5875002374.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:05.181708097 CET50023587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:05.862996101 CET5875002374.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:05.863173008 CET50023587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:05.868092060 CET5875002374.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:06.016365051 CET5875002374.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:06.016679049 CET50023587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:06.021692038 CET5875002374.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:06.174333096 CET5875002374.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:06.174586058 CET50023587192.168.2.474.119.238.7
                                    Oct 31, 2024 16:22:06.180818081 CET5875002374.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:06.359371901 CET5875002374.119.238.7192.168.2.4
                                    Oct 31, 2024 16:22:06.403038979 CET50023587192.168.2.474.119.238.7

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 31, 2024 16:18:02.963543892 CET5755453192.168.2.41.1.1.1
                                    Oct 31, 2024 16:18:03.246776104 CET53575541.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 31, 2024 16:18:02.963543892 CET192.168.2.41.1.1.10x4d45Standard query (0)mail.alhoneycomb.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 31, 2024 16:18:03.246776104 CET1.1.1.1192.168.2.40x4d45No error (0)mail.alhoneycomb.com74.119.238.7A (IP address)IN (0x0001)false

                                    SMTP Packets

                                    TimestampSource PortDest PortSource IPDest IPCommands
                                    Oct 31, 2024 16:18:04.470115900 CET5874973474.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:48:04 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:18:04.480895996 CET49734587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:18:04.645661116 CET5874973474.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:18:04.646835089 CET49734587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:18:04.800005913 CET5874973474.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:18:05.144268990 CET5874973474.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:18:05.184948921 CET49734587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:18:05.351702929 CET5874973474.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:18:05.366583109 CET49734587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:18:05.535995960 CET5874973474.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:18:05.536242008 CET49734587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:18:05.698997021 CET5874973474.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:18:05.700038910 CET49734587192.168.2.474.119.238.7.
                                    Oct 31, 2024 16:18:05.857727051 CET5874973474.119.238.7192.168.2.4250 OK id=1t6Ww1-001V4C-1z
                                    Oct 31, 2024 16:18:05.908706903 CET49734587192.168.2.474.119.238.7QUIT
                                    Oct 31, 2024 16:18:06.266205072 CET5874973474.119.238.7192.168.2.4221 md-la-5.webhostbox.net closing connection
                                    Oct 31, 2024 16:18:06.962619066 CET5874973774.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:48:06 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:18:06.962841034 CET49737587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:18:08.159893990 CET5874973774.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:18:08.160104990 CET49737587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:18:08.177380085 CET5874973774.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:18:08.178266048 CET5874973774.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:18:08.179115057 CET5874973774.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:18:08.317024946 CET5874973774.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:18:08.475339890 CET5874973774.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:18:08.475465059 CET49737587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:18:08.639945030 CET5874973774.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:18:08.640073061 CET49737587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:18:08.811012983 CET5874973774.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:18:08.811247110 CET49737587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:18:08.966856956 CET5874973774.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:18:08.968581915 CET49737587192.168.2.474.119.238.7.
                                    Oct 31, 2024 16:18:09.147162914 CET5874973774.119.238.7192.168.2.4250 OK id=1t6Ww4-001V5J-2q
                                    Oct 31, 2024 16:19:34.416914940 CET49737587192.168.2.474.119.238.7QUIT
                                    Oct 31, 2024 16:19:34.775343895 CET5874973774.119.238.7192.168.2.4221 md-la-5.webhostbox.net closing connection
                                    Oct 31, 2024 16:19:35.478149891 CET5874992874.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:49:35 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:19:35.480988979 CET49928587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:19:35.643930912 CET5874992874.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:19:35.644318104 CET49928587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:19:35.805958986 CET5874992874.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:19:36.071170092 CET5874992874.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:19:36.071660042 CET49928587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:19:36.231666088 CET5874992874.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:19:36.231995106 CET49928587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:19:36.404135942 CET5874992874.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:19:36.405733109 CET49928587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:19:36.565882921 CET5874992874.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:19:37.036322117 CET5874992874.119.238.7192.168.2.4250 OK id=1t6WxU-001Vpl-1Z
                                    Oct 31, 2024 16:19:45.429310083 CET49928587192.168.2.474.119.238.7QUIT
                                    Oct 31, 2024 16:19:45.857887983 CET5874992874.119.238.7192.168.2.4221 md-la-5.webhostbox.net closing connection
                                    Oct 31, 2024 16:19:46.582937956 CET5874997174.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:49:46 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:19:46.584023952 CET49971587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:19:46.740765095 CET5874997174.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:19:46.740955114 CET49971587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:19:46.897644997 CET5874997174.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:19:47.056622982 CET5874997174.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:19:47.056885958 CET49971587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:19:47.220524073 CET5874997174.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:19:47.220715046 CET49971587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:19:47.386177063 CET5874997174.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:19:47.386328936 CET49971587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:19:47.542891026 CET5874997174.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:19:48.725155115 CET5874997874.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:49:48 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:19:48.726598978 CET49978587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:19:48.879946947 CET5874997874.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:19:48.880232096 CET49978587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:19:49.313122034 CET5874997874.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:19:49.314250946 CET5874997874.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:19:49.489509106 CET5874997874.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:19:49.490072012 CET49978587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:19:49.643208981 CET5874997874.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:19:49.643363953 CET49978587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:19:49.806843042 CET5874997874.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:19:49.806992054 CET49978587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:19:49.961858988 CET5874997874.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:19:50.678345919 CET5874998574.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:49:50 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:19:50.678474903 CET49985587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:19:50.835803986 CET5874998574.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:19:50.835926056 CET49985587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:19:50.993899107 CET5874998574.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:19:51.154047012 CET5874998574.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:19:51.154176950 CET49985587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:19:51.310635090 CET5874998574.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:19:51.310894966 CET49985587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:19:51.483351946 CET5874998574.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:19:51.483494043 CET49985587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:19:51.650290966 CET5874998574.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:19:51.675967932 CET49985587192.168.2.474.119.238.7.
                                    Oct 31, 2024 16:19:52.103801966 CET5874998574.119.238.7192.168.2.4250 OK id=1t6Wxj-001Vz8-1p
                                    Oct 31, 2024 16:20:13.708986044 CET49985587192.168.2.474.119.238.7QUIT
                                    Oct 31, 2024 16:20:14.067080021 CET5874998574.119.238.7192.168.2.4221 md-la-5.webhostbox.net closing connection
                                    Oct 31, 2024 16:20:14.773274899 CET5875001474.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:50:14 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:20:14.777765036 CET50014587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:20:14.934442997 CET5875001474.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:20:14.936115980 CET50014587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:20:15.091141939 CET5875001474.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:20:15.375216007 CET5875001474.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:20:15.378133059 CET50014587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:20:15.546149969 CET5875001474.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:20:15.550411940 CET50014587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:20:15.713881969 CET5875001474.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:20:15.714025021 CET50014587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:20:15.869781971 CET5875001474.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:20:16.324552059 CET5875001474.119.238.7192.168.2.4250 OK id=1t6Wy7-001WEm-2X
                                    Oct 31, 2024 16:20:30.909288883 CET50014587192.168.2.474.119.238.7QUIT
                                    Oct 31, 2024 16:20:31.266510963 CET5875001474.119.238.7192.168.2.4221 md-la-5.webhostbox.net closing connection
                                    Oct 31, 2024 16:20:31.953761101 CET5875001574.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:50:31 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:20:31.953902006 CET50015587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:20:32.110306978 CET5875001574.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:20:32.110446930 CET50015587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:20:32.423291922 CET5875001574.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:20:32.580900908 CET5875001574.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:20:32.582299948 CET50015587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:20:32.737236977 CET5875001574.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:20:32.737931967 CET50015587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:20:32.913315058 CET5875001574.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:20:32.913691044 CET50015587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:20:33.078877926 CET5875001574.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:20:33.526276112 CET5875001574.119.238.7192.168.2.4250 OK id=1t6WyO-001WRB-3D
                                    Oct 31, 2024 16:20:51.302103996 CET50015587192.168.2.474.119.238.7QUIT
                                    Oct 31, 2024 16:20:51.661803961 CET5875001574.119.238.7192.168.2.4221 md-la-5.webhostbox.net closing connection
                                    Oct 31, 2024 16:20:52.340404034 CET5875001674.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:50:52 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:20:52.348177910 CET50016587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:20:52.506561041 CET5875001674.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:20:52.509721041 CET50016587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:20:52.671910048 CET5875001674.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:20:52.972326040 CET5875001674.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:20:52.976176023 CET50016587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:20:53.134902000 CET5875001674.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:20:53.135101080 CET50016587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:20:53.305529118 CET5875001674.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:20:53.307244062 CET50016587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:20:53.464618921 CET5875001674.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:20:53.920732975 CET5875001674.119.238.7192.168.2.4250 OK id=1t6Wyj-001Wc3-1E
                                    Oct 31, 2024 16:20:54.387208939 CET50016587192.168.2.474.119.238.7QUIT
                                    Oct 31, 2024 16:20:54.965711117 CET5875001674.119.238.7192.168.2.4221 md-la-5.webhostbox.net closing connection
                                    Oct 31, 2024 16:20:55.739991903 CET5875001774.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:50:55 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:20:55.746331930 CET50017587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:20:55.903584003 CET5875001774.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:20:55.904427052 CET50017587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:20:56.067034960 CET5875001774.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:20:56.229716063 CET5875001774.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:20:56.229885101 CET50017587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:20:56.387094021 CET5875001774.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:20:56.387375116 CET50017587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:20:56.565022945 CET5875001774.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:20:56.565171957 CET50017587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:20:56.722338915 CET5875001774.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:20:57.179287910 CET5875001774.119.238.7192.168.2.4250 OK id=1t6Wym-001Wdp-24
                                    Oct 31, 2024 16:21:41.714152098 CET50017587192.168.2.474.119.238.7QUIT
                                    Oct 31, 2024 16:21:42.072247028 CET5875001774.119.238.7192.168.2.4221 md-la-5.webhostbox.net closing connection
                                    Oct 31, 2024 16:21:42.793322086 CET5875001874.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:51:42 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:21:42.793497086 CET50018587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:21:42.949953079 CET5875001874.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:21:42.950136900 CET50018587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:21:43.107336998 CET5875001874.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:21:43.915477037 CET5875001974.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:51:43 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:21:43.918329000 CET50019587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:21:44.072505951 CET5875001974.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:21:44.074331045 CET50019587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:21:44.228091002 CET5875001974.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:21:44.384036064 CET5875001974.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:21:44.386373997 CET50019587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:21:44.540668964 CET5875001974.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:21:44.540858030 CET50019587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:21:44.711258888 CET5875001974.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:21:44.714401960 CET50019587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:21:44.867868900 CET5875001974.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:21:45.325737953 CET5875001974.119.238.7192.168.2.4250 OK id=1t6WzY-001X4c-2X
                                    Oct 31, 2024 16:21:56.022187948 CET50019587192.168.2.474.119.238.7QUIT
                                    Oct 31, 2024 16:21:56.376312971 CET5875001974.119.238.7192.168.2.4221 md-la-5.webhostbox.net closing connection
                                    Oct 31, 2024 16:21:57.112572908 CET5875002074.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:51:57 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:21:57.112772942 CET50020587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:21:57.274768114 CET5875002074.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:21:57.274926901 CET50020587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:21:57.436788082 CET5875002074.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:21:57.612190008 CET5875002074.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:21:57.612385988 CET50020587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:21:57.773534060 CET5875002074.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:21:57.773828030 CET50020587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:21:58.608536959 CET5875002174.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:51:58 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:21:58.608829021 CET50021587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:21:58.764866114 CET5875002174.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:21:58.767282009 CET50021587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:21:58.924272060 CET5875002174.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:21:59.082058907 CET5875002174.119.238.7192.168.2.4235 Authentication succeeded
                                    Oct 31, 2024 16:21:59.082227945 CET50021587192.168.2.474.119.238.7MAIL FROM:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:21:59.241230011 CET5875002174.119.238.7192.168.2.4250 OK
                                    Oct 31, 2024 16:21:59.241439104 CET50021587192.168.2.474.119.238.7RCPT TO:<blog@alhoneycomb.com>
                                    Oct 31, 2024 16:21:59.408051014 CET5875002174.119.238.7192.168.2.4250 Accepted
                                    Oct 31, 2024 16:21:59.408480883 CET50021587192.168.2.474.119.238.7DATA
                                    Oct 31, 2024 16:21:59.564086914 CET5875002174.119.238.7192.168.2.4354 Enter message, ending with "." on a line by itself
                                    Oct 31, 2024 16:22:00.012480021 CET5875002174.119.238.7192.168.2.4250 OK id=1t6Wzn-001XDB-1Y
                                    Oct 31, 2024 16:22:02.901762962 CET50021587192.168.2.474.119.238.7QUIT
                                    Oct 31, 2024 16:22:03.261152983 CET5875002174.119.238.7192.168.2.4221 md-la-5.webhostbox.net closing connection
                                    Oct 31, 2024 16:22:03.954570055 CET5875002274.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:52:03 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:22:05.115748882 CET50022587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:22:05.862996101 CET5875002374.119.238.7192.168.2.4220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 31 Oct 2024 20:52:05 +0530
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Oct 31, 2024 16:22:05.863173008 CET50023587192.168.2.474.119.238.7EHLO 965969
                                    Oct 31, 2024 16:22:06.016365051 CET5875002374.119.238.7192.168.2.4250-md-la-5.webhostbox.net Hello 965969 [173.254.250.77]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Oct 31, 2024 16:22:06.016679049 CET50023587192.168.2.474.119.238.7AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
                                    Oct 31, 2024 16:22:06.174333096 CET5875002374.119.238.7192.168.2.4334 UGFzc3dvcmQ6
                                    Oct 31, 2024 16:22:06.359371901 CET5875002374.119.238.7192.168.2.4235 Authentication succeeded

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:11:17:56
                                    Start date:31/10/2024
                                    Path:C:\Users\user\Desktop\NoERE2024000013833.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\NoERE2024000013833.exe"
                                    Imagebase:0x2620ada0000
                                    File size:3'596'943 bytes
                                    MD5 hash:FCD3727D56F9E69BE13C397A22B8843E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1884610057.000002620CD82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1885047529.000002621D259000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1885047529.000002621D259000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:11:17:56
                                    Start date:31/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:11:17:57
                                    Start date:31/10/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                    Imagebase:0x910000
                                    File size:42'064 bytes
                                    MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4120836178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4120836178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4123322438.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4123322438.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:moderate
                                    Has exited:false

                                    General

                                    Target ID:3
                                    Start time:11:17:57
                                    Start date:31/10/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                    Imagebase:0xb80000
                                    File size:42'064 bytes
                                    MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:11:17:57
                                    Start date:31/10/2024
                                    Path:C:\Windows\System32\WerFault.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 2004 -s 1036
                                    Imagebase:0x7ff7468c0000
                                    File size:570'736 bytes
                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:11.1%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:8
                                      Total number of Limit Nodes:1
                                      execution_graph 15539 7ffd9b87381a 15540 7ffd9b873829 VirtualProtect 15539->15540 15542 7ffd9b87390b 15540->15542 15534 7ffd9b870e65 15536 7ffd9b870e89 15534->15536 15535 7ffd9b870e37 15536->15535 15537 7ffd9b870eea FreeConsole 15536->15537 15538 7ffd9b870f1e 15537->15538

                                      Executed Functions

                                      Function 00007FFD9B940050 Relevance: 3.4, Strings: 1, Instructions: 2161COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892724843.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b940000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: A`$%
                                      • API String ID: 0-4040629893
                                      • Opcode ID: f107b1dd8a7d9e122f1eac0a30e40bbbb782bb260c6b134c68b89246a1de5b66
                                      • Instruction ID: 678bd8af1b54be3e4cfa9f52000346fcfdf7578771e7e86096358f2ea3ec480e
                                      • Opcode Fuzzy Hash: f107b1dd8a7d9e122f1eac0a30e40bbbb782bb260c6b134c68b89246a1de5b66
                                      • Instruction Fuzzy Hash: A0E25B31A1E7DA4FE766DB6888655B47FE1EF56700F0A06FAD088CB1E3DA146906C381
                                      Function 00007FFD9B87F4E5 Relevance: 1.9, Instructions: 1909COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 25f586d1b1a97d3002bfebb2dbfaed1b0f797b301f9939426ab27a5267c2774c
                                      • Instruction ID: 27f6c60571b338bd7c7185ea985dd6ebda3c32d675dd0bba5685dbe6e5534936
                                      • Opcode Fuzzy Hash: 25f586d1b1a97d3002bfebb2dbfaed1b0f797b301f9939426ab27a5267c2774c
                                      • Instruction Fuzzy Hash: 7BD29B3161DB894FE329DB28C4A04B5B7E2FFD9305B0445BED48AC72A6DE34E946C781
                                      Function 00007FFD9B87CB61 Relevance: 1.4, Instructions: 1444COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 981 7ffd9b87cb61-7ffd9b87cb9b 983 7ffd9b87cba1-7ffd9b87cbe6 call 7ffd9b87bc40 call 7ffd9b877f40 981->983 984 7ffd9b87cc2c-7ffd9b87cc3f 981->984 983->984 995 7ffd9b87cbe8-7ffd9b87cc06 983->995 989 7ffd9b87cc81-7ffd9b87cc84 984->989 990 7ffd9b87cc41-7ffd9b87cc59 984->990 993 7ffd9b87cd26-7ffd9b87cd37 989->993 994 7ffd9b87cc85-7ffd9b87cca1 989->994 996 7ffd9b87cca3-7ffd9b87ccba call 7ffd9b877f40 call 7ffd9b8786a0 990->996 997 7ffd9b87cc5b-7ffd9b87cc7f 990->997 1002 7ffd9b87cd79-7ffd9b87cd86 993->1002 1003 7ffd9b87cd39-7ffd9b87cd49 993->1003 994->996 995->984 998 7ffd9b87cc08-7ffd9b87cc2b 995->998 996->993 1011 7ffd9b87ccbc-7ffd9b87ccce 996->1011 997->989 1006 7ffd9b87ce23-7ffd9b87ce31 1002->1006 1007 7ffd9b87cd8c-7ffd9b87cd9f 1002->1007 1005 7ffd9b87cd4a 1003->1005 1009 7ffd9b87cd4b-7ffd9b87cd59 1005->1009 1017 7ffd9b87ce33-7ffd9b87ce35 1006->1017 1018 7ffd9b87ce36-7ffd9b87ce54 1006->1018 1010 7ffd9b87cda3-7ffd9b87cdc5 call 7ffd9b87bc40 1007->1010 1009->1010 1016 7ffd9b87cd5b-7ffd9b87cd5e 1009->1016 1010->1006 1022 7ffd9b87cdc7-7ffd9b87cdd9 1010->1022 1011->1005 1020 7ffd9b87ccd0 1011->1020 1021 7ffd9b87cd62-7ffd9b87cd78 1016->1021 1017->1018 1030 7ffd9b87ce55-7ffd9b87ce59 1018->1030 1023 7ffd9b87ccd2-7ffd9b87ccda 1020->1023 1024 7ffd9b87cd16-7ffd9b87cd25 1020->1024 1021->1002 1029 7ffd9b87cddb 1022->1029 1022->1030 1023->1009 1027 7ffd9b87ccdc-7ffd9b87cce1 1023->1027 1027->1021 1031 7ffd9b87cce3-7ffd9b87cd04 call 7ffd9b8782e0 1027->1031 1034 7ffd9b87ce21-7ffd9b87ce22 1029->1034 1035 7ffd9b87cddd-7ffd9b87cdfb call 7ffd9b8782e0 1029->1035 1032 7ffd9b87cea3-7ffd9b87cee3 call 7ffd9b87bc40 * 2 call 7ffd9b877f40 1030->1032 1033 7ffd9b87ce5b-7ffd9b87ce86 1030->1033 1031->993 1047 7ffd9b87cd06-7ffd9b87cd14 1031->1047 1037 7ffd9b87cf7c 1032->1037 1056 7ffd9b87cee9-7ffd9b87cf0d 1032->1056 1033->1037 1038 7ffd9b87ce8c-7ffd9b87cea0 1033->1038 1035->1006 1045 7ffd9b87cdfd-7ffd9b87ce20 1035->1045 1046 7ffd9b87cf7d-7ffd9b87cf8f 1037->1046 1038->1032 1045->1034 1049 7ffd9b87cfd1 1046->1049 1050 7ffd9b87cf91-7ffd9b87cfa6 1046->1050 1047->1024 1052 7ffd9b87cfd2-7ffd9b87cfd9 1049->1052 1055 7ffd9b87cfdb-7ffd9b87cfde 1050->1055 1057 7ffd9b87cfa8 1050->1057 1052->1055 1058 7ffd9b87cff2-7ffd9b87cffe 1055->1058 1059 7ffd9b87cfe0-7ffd9b87cff0 1055->1059 1056->1046 1066 7ffd9b87cf0f-7ffd9b87cf1c 1056->1066 1063 7ffd9b87cfab-7ffd9b87cfbe 1057->1063 1060 7ffd9b87d000-7ffd9b87d00b 1058->1060 1061 7ffd9b87d00e-7ffd9b87d017 1058->1061 1059->1061 1060->1061 1064 7ffd9b87d019-7ffd9b87d01b 1061->1064 1065 7ffd9b87d088-7ffd9b87d095 1061->1065 1063->1052 1067 7ffd9b87cfc0-7ffd9b87cfc1 1063->1067 1068 7ffd9b87d01d 1064->1068 1069 7ffd9b87d097-7ffd9b87d0aa 1064->1069 1065->1069 1070 7ffd9b87cf1e-7ffd9b87cf3a 1066->1070 1071 7ffd9b87cf65-7ffd9b87cf6e 1066->1071 1072 7ffd9b87cfc2-7ffd9b87cfd0 1067->1072 1074 7ffd9b87d063-7ffd9b87d087 1068->1074 1075 7ffd9b87d01f-7ffd9b87d037 call 7ffd9b8782e0 1068->1075 1077 7ffd9b87d0b1-7ffd9b87d0e3 call 7ffd9b87bc40 call 7ffd9b877f40 1069->1077 1078 7ffd9b87d0ac call 7ffd9b87bc40 1069->1078 1070->1063 1081 7ffd9b87cf3c-7ffd9b87cf41 1070->1081 1073 7ffd9b87cf70-7ffd9b87cf7b 1071->1073 1072->1061 1082 7ffd9b87d08d-7ffd9b87d0ac call 7ffd9b87bc40 1074->1082 1083 7ffd9b87d1e9-7ffd9b87d21a 1074->1083 1075->1074 1077->1083 1096 7ffd9b87d0e9-7ffd9b87d132 1077->1096 1078->1077 1081->1072 1086 7ffd9b87cf43-7ffd9b87cf5b 1081->1086 1082->1077 1094 7ffd9b87d264-7ffd9b87d2a6 call 7ffd9b87bc40 * 2 call 7ffd9b877f40 1083->1094 1095 7ffd9b87d21c-7ffd9b87d247 1083->1095 1097 7ffd9b87cf63 1086->1097 1098 7ffd9b87d3de-7ffd9b87d3f8 1094->1098 1123 7ffd9b87d2ac-7ffd9b87d2ca 1094->1123 1095->1098 1099 7ffd9b87d24d-7ffd9b87d263 1095->1099 1108 7ffd9b87d134-7ffd9b87d166 call 7ffd9b8782e0 1096->1108 1109 7ffd9b87d1b3-7ffd9b87d1bf 1096->1109 1097->1073 1111 7ffd9b87d3fa-7ffd9b87d433 1098->1111 1112 7ffd9b87d396-7ffd9b87d3b2 call 7ffd9b87c610 1098->1112 1099->1094 1108->1083 1124 7ffd9b87d16c-7ffd9b87d1b0 call 7ffd9b87c610 1108->1124 1109->1083 1115 7ffd9b87d1c1-7ffd9b87d1e8 1109->1115 1120 7ffd9b87d439-7ffd9b87d48e call 7ffd9b87bc40 * 2 call 7ffd9b877f40 1111->1120 1121 7ffd9b87d506-7ffd9b87d511 1111->1121 1126 7ffd9b87d3b4 1112->1126 1120->1121 1156 7ffd9b87d490-7ffd9b87d4bb 1120->1156 1135 7ffd9b87d513-7ffd9b87d515 1121->1135 1136 7ffd9b87d516-7ffd9b87d55b 1121->1136 1123->1098 1127 7ffd9b87d2d0-7ffd9b87d2ea 1123->1127 1124->1109 1126->1098 1130 7ffd9b87d3b6-7ffd9b87d3c9 1126->1130 1131 7ffd9b87d343 1127->1131 1132 7ffd9b87d2ec-7ffd9b87d2ef 1127->1132 1139 7ffd9b87d3cb-7ffd9b87d3dd 1130->1139 1131->1126 1137 7ffd9b87d345-7ffd9b87d34a 1131->1137 1140 7ffd9b87d2f1-7ffd9b87d30a 1132->1140 1141 7ffd9b87d370-7ffd9b87d394 1132->1141 1135->1136 1147 7ffd9b87d561-7ffd9b87d5a1 call 7ffd9b87bc40 call 7ffd9b877f40 1136->1147 1148 7ffd9b87d5e5-7ffd9b87d5f7 1136->1148 1137->1139 1143 7ffd9b87d34c-7ffd9b87d36b call 7ffd9b8782e0 1137->1143 1145 7ffd9b87d30c-7ffd9b87d323 1140->1145 1146 7ffd9b87d325-7ffd9b87d337 1140->1146 1141->1112 1143->1141 1151 7ffd9b87d33b-7ffd9b87d341 1145->1151 1146->1151 1147->1148 1169 7ffd9b87d5a3-7ffd9b87d5e4 call 7ffd9b879930 1147->1169 1161 7ffd9b87d639-7ffd9b87d6ae call 7ffd9b878ed0 1148->1161 1162 7ffd9b87d5f9-7ffd9b87d637 1148->1162 1151->1131 1159 7ffd9b87d4bd-7ffd9b87d4cf 1156->1159 1160 7ffd9b87d4fa-7ffd9b87d505 1156->1160 1159->1121 1166 7ffd9b87d4d1-7ffd9b87d4f7 1159->1166 1178 7ffd9b87d7a9-7ffd9b87d7b3 1161->1178 1162->1161 1166->1160 1179 7ffd9b87d6b3-7ffd9b87d6be 1178->1179 1180 7ffd9b87d7b9-7ffd9b87d7bf 1178->1180 1181 7ffd9b87d6c4-7ffd9b87d70d 1179->1181 1182 7ffd9b87d7c0-7ffd9b87d807 1179->1182 1189 7ffd9b87d70f-7ffd9b87d728 1181->1189 1190 7ffd9b87d72a-7ffd9b87d72c 1181->1190 1191 7ffd9b87d72f-7ffd9b87d73c 1189->1191 1190->1191 1193 7ffd9b87d7a1-7ffd9b87d7a6 1191->1193 1194 7ffd9b87d73e-7ffd9b87d79c call 7ffd9b87a3e0 1191->1194 1193->1178 1194->1193
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2371b388f9a0adc2afebb43f3ed80d2618af7c8315060b56c7698c919c9f6947
                                      • Instruction ID: b8afb38890c455d12d66441c9c78ede15ab91f3ce6a645e12be359ed0481bbe1
                                      • Opcode Fuzzy Hash: 2371b388f9a0adc2afebb43f3ed80d2618af7c8315060b56c7698c919c9f6947
                                      • Instruction Fuzzy Hash: 3FA2493061DB4E8FE719DB28C4A44A5B7E1FF89305B1445BED48AC72B6DE34E946CB40
                                      Function 00007FFD9B88107C Relevance: 1.1, Instructions: 1114COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 62f53e3a3566fbd2ac04576064ff4245bd37e5121fa5f1da714ae21dcc86f989
                                      • Instruction ID: 57b143f0b7c79d21314af1a0c20b0973488dca08c3ba26849bb0e1a53b167903
                                      • Opcode Fuzzy Hash: 62f53e3a3566fbd2ac04576064ff4245bd37e5121fa5f1da714ae21dcc86f989
                                      • Instruction Fuzzy Hash: 1B72793161DB4E4FE369EB28C4A15B177E1FF99300B0145BED09AC72A6DE38E946C781
                                      Function 00007FFD9B879530 Relevance: .9, Instructions: 928COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1745 7ffd9b879530-7ffd9b87df95 1747 7ffd9b87dfdf-7ffd9b87e009 1745->1747 1748 7ffd9b87df97-7ffd9b87dfde 1745->1748 1751 7ffd9b87e022 1747->1751 1752 7ffd9b87e00b-7ffd9b87e020 1747->1752 1748->1747 1753 7ffd9b87e024-7ffd9b87e029 1751->1753 1752->1753 1755 7ffd9b87e02f-7ffd9b87e03e 1753->1755 1756 7ffd9b87e126-7ffd9b87e146 1753->1756 1762 7ffd9b87e040-7ffd9b87e046 1755->1762 1763 7ffd9b87e048-7ffd9b87e049 1755->1763 1758 7ffd9b87e197-7ffd9b87e1a2 1756->1758 1760 7ffd9b87e1a4-7ffd9b87e1b3 1758->1760 1761 7ffd9b87e148-7ffd9b87e14e 1758->1761 1770 7ffd9b87e1c9 1760->1770 1771 7ffd9b87e1b5-7ffd9b87e1c7 1760->1771 1764 7ffd9b87e154-7ffd9b87e175 call 7ffd9b879510 1761->1764 1765 7ffd9b87e612-7ffd9b87e62a 1761->1765 1766 7ffd9b87e04b-7ffd9b87e06e 1762->1766 1763->1766 1783 7ffd9b87e17a-7ffd9b87e194 1764->1783 1777 7ffd9b87e674-7ffd9b87e6a1 call 7ffd9b874f18 1765->1777 1778 7ffd9b87e62c-7ffd9b87e667 call 7ffd9b879a58 1765->1778 1769 7ffd9b87e0c3-7ffd9b87e0ce 1766->1769 1774 7ffd9b87e070-7ffd9b87e076 1769->1774 1775 7ffd9b87e0d0-7ffd9b87e0e7 1769->1775 1776 7ffd9b87e1cb-7ffd9b87e1d0 1770->1776 1771->1776 1774->1765 1780 7ffd9b87e07c-7ffd9b87e0c0 call 7ffd9b879510 1774->1780 1792 7ffd9b87e0e9-7ffd9b87e10f call 7ffd9b879510 1775->1792 1793 7ffd9b87e116-7ffd9b87e121 call 7ffd9b8796c0 1775->1793 1781 7ffd9b87e25c-7ffd9b87e270 1776->1781 1782 7ffd9b87e1d6-7ffd9b87e1f8 call 7ffd9b879510 1776->1782 1828 7ffd9b87e6a3-7ffd9b87e6ab 1777->1828 1829 7ffd9b87e6ac-7ffd9b87e6af 1777->1829 1820 7ffd9b87e6b1-7ffd9b87e6bb 1778->1820 1821 7ffd9b87e669-7ffd9b87e672 1778->1821 1780->1769 1787 7ffd9b87e272-7ffd9b87e278 1781->1787 1788 7ffd9b87e2c0-7ffd9b87e2cf 1781->1788 1818 7ffd9b87e1fa-7ffd9b87e224 1782->1818 1819 7ffd9b87e226-7ffd9b87e227 1782->1819 1783->1758 1789 7ffd9b87e27a-7ffd9b87e295 1787->1789 1790 7ffd9b87e297-7ffd9b87e2af 1787->1790 1805 7ffd9b87e2d1-7ffd9b87e2da 1788->1805 1806 7ffd9b87e2dc 1788->1806 1789->1790 1808 7ffd9b87e2b8-7ffd9b87e2bb 1790->1808 1792->1793 1793->1781 1813 7ffd9b87e2de-7ffd9b87e2e3 1805->1813 1806->1813 1815 7ffd9b87e468-7ffd9b87e47d 1808->1815 1823 7ffd9b87e5ef-7ffd9b87e5f0 1813->1823 1824 7ffd9b87e2e9-7ffd9b87e2ec 1813->1824 1833 7ffd9b87e47f-7ffd9b87e4bb 1815->1833 1834 7ffd9b87e4bd 1815->1834 1822 7ffd9b87e229-7ffd9b87e230 1818->1822 1819->1822 1835 7ffd9b87e6bd-7ffd9b87e6c5 1820->1835 1836 7ffd9b87e6c6-7ffd9b87e6d7 1820->1836 1821->1777 1822->1781 1830 7ffd9b87e232-7ffd9b87e257 call 7ffd9b879538 1822->1830 1838 7ffd9b87e5f3-7ffd9b87e602 1823->1838 1831 7ffd9b87e334 1824->1831 1832 7ffd9b87e2ee-7ffd9b87e30b call 7ffd9b8701b8 1824->1832 1828->1829 1829->1820 1830->1781 1860 7ffd9b87e5de-7ffd9b87e5ee 1830->1860 1839 7ffd9b87e336-7ffd9b87e33b 1831->1839 1832->1831 1875 7ffd9b87e30d-7ffd9b87e332 1832->1875 1842 7ffd9b87e4bf-7ffd9b87e4c4 1833->1842 1834->1842 1835->1836 1845 7ffd9b87e6e2-7ffd9b87e71d 1836->1845 1846 7ffd9b87e6d9-7ffd9b87e6e1 1836->1846 1866 7ffd9b87e603-7ffd9b87e60b 1838->1866 1848 7ffd9b87e341-7ffd9b87e34d 1839->1848 1849 7ffd9b87e43c-7ffd9b87e45f 1839->1849 1852 7ffd9b87e534-7ffd9b87e548 1842->1852 1853 7ffd9b87e4c6-7ffd9b87e51d call 7ffd9b874e50 1842->1853 1856 7ffd9b87e724-7ffd9b87e72f 1845->1856 1857 7ffd9b87e71f call 7ffd9b87bc40 1845->1857 1846->1845 1848->1765 1858 7ffd9b87e353-7ffd9b87e362 1848->1858 1869 7ffd9b87e465-7ffd9b87e466 1849->1869 1862 7ffd9b87e54a-7ffd9b87e575 call 7ffd9b874e50 1852->1862 1863 7ffd9b87e597-7ffd9b87e5a3 call 7ffd9b877f40 1852->1863 1906 7ffd9b87e51f-7ffd9b87e523 1853->1906 1907 7ffd9b87e58e-7ffd9b87e594 1853->1907 1877 7ffd9b87e741 1856->1877 1878 7ffd9b87e731-7ffd9b87e73f 1856->1878 1857->1856 1864 7ffd9b87e364-7ffd9b87e373 1858->1864 1865 7ffd9b87e375-7ffd9b87e382 call 7ffd9b8701b8 1858->1865 1885 7ffd9b87e57a-7ffd9b87e582 1862->1885 1876 7ffd9b87e5a4-7ffd9b87e5bc 1863->1876 1887 7ffd9b87e388-7ffd9b87e38e 1864->1887 1865->1887 1866->1765 1869->1815 1875->1839 1876->1765 1883 7ffd9b87e5be-7ffd9b87e5ce 1876->1883 1884 7ffd9b87e743-7ffd9b87e748 1877->1884 1878->1884 1889 7ffd9b87e5d0-7ffd9b87e5db 1883->1889 1891 7ffd9b87e75f-7ffd9b87e767 call 7ffd9b874e68 1884->1891 1892 7ffd9b87e74a-7ffd9b87e75d call 7ffd9b873058 1884->1892 1885->1838 1890 7ffd9b87e584-7ffd9b87e587 1885->1890 1894 7ffd9b87e3c3-7ffd9b87e3c8 1887->1894 1895 7ffd9b87e390-7ffd9b87e3bd 1887->1895 1889->1860 1890->1866 1896 7ffd9b87e589 1890->1896 1908 7ffd9b87e76c-7ffd9b87e773 1891->1908 1892->1908 1894->1765 1902 7ffd9b87e3ce-7ffd9b87e3ee 1894->1902 1895->1894 1896->1889 1904 7ffd9b87e58b 1896->1904 1909 7ffd9b87e402-7ffd9b87e432 call 7ffd9b879cc8 1902->1909 1910 7ffd9b87e3f0-7ffd9b87e401 1902->1910 1904->1907 1906->1876 1911 7ffd9b87e525-7ffd9b87e52f 1906->1911 1907->1863 1916 7ffd9b87e437-7ffd9b87e43a 1909->1916 1910->1909 1916->1815
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1a6b76015905f19a4047a66d44134f39b6ea6259dba66bf7a6a7ffbf8efa616
                                      • Instruction ID: c57e237d447d9dac54057e43e74284f6f7e69acd27642e188c4367c2872e1dd3
                                      • Opcode Fuzzy Hash: b1a6b76015905f19a4047a66d44134f39b6ea6259dba66bf7a6a7ffbf8efa616
                                      • Instruction Fuzzy Hash: 82521730B09A0D8FDB68DB68D4A5A7977E1FF58305B1501BEE04EC36A2DE24ED429781
                                      Function 00007FFD9B87BF14 Relevance: .8, Instructions: 765COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1917 7ffd9b87bf14-7ffd9b87bf55 call 7ffd9b879860 1922 7ffd9b87bf57-7ffd9b87bfb8 call 7ffd9b8782e0 1917->1922 1923 7ffd9b87bfd6-7ffd9b87bfde 1917->1923 1927 7ffd9b87bfdf-7ffd9b87c03c 1922->1927 1928 7ffd9b87bfba-7ffd9b87bfd3 1922->1928 1932 7ffd9b87c03e-7ffd9b87c069 1927->1932 1933 7ffd9b87c086-7ffd9b87c0af call 7ffd9b87bc40 call 7ffd9b877f40 1927->1933 1928->1923 1934 7ffd9b87c06f-7ffd9b87c082 1932->1934 1935 7ffd9b87c1ac-7ffd9b87c1b9 1932->1935 1933->1935 1943 7ffd9b87c0b5-7ffd9b87c0df call 7ffd9b8786a0 1933->1943 1934->1933 1941 7ffd9b87c1c1 1935->1941 1942 7ffd9b87c1bb 1935->1942 1944 7ffd9b87c1c3 1941->1944 1945 7ffd9b87c1c5 1941->1945 1942->1941 1955 7ffd9b87c0e1-7ffd9b87c0eb 1943->1955 1956 7ffd9b87c0ed-7ffd9b87c0fd 1943->1956 1944->1945 1948 7ffd9b87c205 1944->1948 1946 7ffd9b87c1c6-7ffd9b87c1da 1945->1946 1953 7ffd9b87c224-7ffd9b87c239 call 7ffd9b877f40 1946->1953 1954 7ffd9b87c1dc-7ffd9b87c203 1946->1954 1950 7ffd9b87c303-7ffd9b87c313 1948->1950 1951 7ffd9b87c20b-7ffd9b87c222 1948->1951 1965 7ffd9b87c315-7ffd9b87c33c 1950->1965 1951->1953 1953->1950 1967 7ffd9b87c23f-7ffd9b87c2a5 call 7ffd9b8786a0 * 4 1953->1967 1954->1948 1955->1956 1958 7ffd9b87c10c 1955->1958 1963 7ffd9b87c0ff-7ffd9b87c10a 1956->1963 1964 7ffd9b87c17a-7ffd9b87c182 1956->1964 1961 7ffd9b87c10e-7ffd9b87c113 1958->1961 1961->1964 1968 7ffd9b87c115-7ffd9b87c11c 1961->1968 1963->1961 1964->1935 1966 7ffd9b87c184-7ffd9b87c196 1964->1966 1977 7ffd9b87c33e-7ffd9b87c341 1965->1977 1978 7ffd9b87c386-7ffd9b87c3c3 call 7ffd9b87bc40 * 2 call 7ffd9b877f40 1965->1978 1970 7ffd9b87c19c-7ffd9b87c1a1 1966->1970 2011 7ffd9b87c2ab-7ffd9b87c2ac 1967->2011 2012 7ffd9b87c2a7-7ffd9b87c2a9 1967->2012 1972 7ffd9b87c11e-7ffd9b87c121 1968->1972 1973 7ffd9b87c175 1968->1973 1976 7ffd9b87c1a2-7ffd9b87c1ab 1970->1976 1975 7ffd9b87c123-7ffd9b87c126 1972->1975 1972->1976 1973->1946 1979 7ffd9b87c177-7ffd9b87c178 1973->1979 1981 7ffd9b87c130-7ffd9b87c133 1975->1981 1982 7ffd9b87c128-7ffd9b87c12e 1975->1982 1983 7ffd9b87c342 1977->1983 2002 7ffd9b87c593-7ffd9b87c5f5 call 7ffd9b87c010 1978->2002 2010 7ffd9b87c3c9-7ffd9b87c3e4 1978->2010 1979->1970 1988 7ffd9b87c14c-7ffd9b87c15e 1981->1988 1989 7ffd9b87c135-7ffd9b87c14a 1981->1989 1982->1981 1986 7ffd9b87c344-7ffd9b87c345 1983->1986 1987 7ffd9b87c368-7ffd9b87c369 1983->1987 1992 7ffd9b87c34a-7ffd9b87c35c 1986->1992 1987->2002 2003 7ffd9b87c36f-7ffd9b87c385 1987->2003 1988->1935 1994 7ffd9b87c160-7ffd9b87c178 1988->1994 1989->1988 1997 7ffd9b87c361-7ffd9b87c367 1992->1997 1994->1970 1997->1987 2003->1978 2014 7ffd9b87c43d-7ffd9b87c446 2010->2014 2015 7ffd9b87c3e6-7ffd9b87c3e9 2010->2015 2016 7ffd9b87c2b5-7ffd9b87c2bc 2011->2016 2012->2016 2021 7ffd9b87c4b9-7ffd9b87c4c1 2014->2021 2018 7ffd9b87c3eb-7ffd9b87c3fd 2015->2018 2019 7ffd9b87c46a-7ffd9b87c46e 2015->2019 2016->1965 2020 7ffd9b87c2be-7ffd9b87c2c1 2016->2020 2030 7ffd9b87c3ff-7ffd9b87c40b 2018->2030 2031 7ffd9b87c44e-7ffd9b87c467 2018->2031 2027 7ffd9b87c46f-7ffd9b87c4a2 2019->2027 2020->1983 2026 7ffd9b87c2c3-7ffd9b87c2d9 2020->2026 2024 7ffd9b87c4c3-7ffd9b87c4c8 2021->2024 2025 7ffd9b87c532-7ffd9b87c547 2021->2025 2032 7ffd9b87c4ca-7ffd9b87c50e call 7ffd9b8782e0 2024->2032 2033 7ffd9b87c549-7ffd9b87c552 call 7ffd9b874d00 2024->2033 2025->2033 2026->1992 2034 7ffd9b87c2db-7ffd9b87c2e0 2026->2034 2027->2021 2037 7ffd9b87c40d-7ffd9b87c41e 2030->2037 2038 7ffd9b87c448-7ffd9b87c44d 2030->2038 2047 7ffd9b87c4a4-7ffd9b87c4b5 2031->2047 2048 7ffd9b87c469 2031->2048 2032->2002 2050 7ffd9b87c514-7ffd9b87c531 2032->2050 2046 7ffd9b87c557-7ffd9b87c567 2033->2046 2034->1997 2040 7ffd9b87c2e2-7ffd9b87c302 call 7ffd9b8782e0 2034->2040 2037->2027 2049 7ffd9b87c420-7ffd9b87c43b 2037->2049 2038->2031 2046->2002 2052 7ffd9b87c569-7ffd9b87c592 2046->2052 2047->2021 2048->2019 2049->2014 2050->2025
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 405207621d0f1b148ad7e15afa0adca16664c8c5a92a657a6b52b2f3865f2ce2
                                      • Instruction ID: b00e027324801b00800e3252840f8572ec1805f82dcabfd2f206ada39c44348e
                                      • Opcode Fuzzy Hash: 405207621d0f1b148ad7e15afa0adca16664c8c5a92a657a6b52b2f3865f2ce2
                                      • Instruction Fuzzy Hash: 8232BB3170EB8A4FE729CB6884A517577D1FFC9308B1545BED08AC72B2DD29E942CB81
                                      Function 00007FFD9B8708B5 Relevance: .7, Instructions: 652COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2335 7ffd9b8708b5-7ffd9b8708ca 2336 7ffd9b8708cc-7ffd9b87093a call 7ffd9b870528 call 7ffd9b870538 2335->2336 2337 7ffd9b870867-7ffd9b87088a 2335->2337 2360 7ffd9b87093c-7ffd9b870957 2336->2360 2340 7ffd9b87088c-7ffd9b870898 2337->2340 2341 7ffd9b870827-7ffd9b870834 2337->2341 2346 7ffd9b87089a-7ffd9b8708a6 call 7ffd9b8705a8 2340->2346 2347 7ffd9b870835-7ffd9b870866 2340->2347 2341->2347 2355 7ffd9b8708ab-7ffd9b8708b0 2346->2355 2347->2337 2362 7ffd9b870959-7ffd9b87098a 2360->2362 2366 7ffd9b87098c-7ffd9b8709a7 2362->2366 2368 7ffd9b8709a9-7ffd9b870b5b call 7ffd9b870568 * 3 call 7ffd9b870588 call 7ffd9b870568 call 7ffd9b870588 call 7ffd9b870568 call 7ffd9b870588 call 7ffd9b870568 call 7ffd9b870588 call 7ffd9b870508 call 7ffd9b870518 2366->2368 2405 7ffd9b870b5d-7ffd9b870b62 2368->2405 2406 7ffd9b870b6c-7ffd9b870b78 2368->2406 2405->2406 2407 7ffd9b870b7e-7ffd9b870b92 call 7ffd9b8704e8 2406->2407 2408 7ffd9b870e28-7ffd9b870e61 2406->2408 2413 7ffd9b870ba3-7ffd9b870bb3 2407->2413 2414 7ffd9b870b94-7ffd9b870b99 2407->2414 2413->2408 2415 7ffd9b870bb9-7ffd9b870bde call 7ffd9b870598 2413->2415 2414->2413 2418 7ffd9b870bef-7ffd9b870c03 2415->2418 2419 7ffd9b870be0-7ffd9b870be5 2415->2419 2418->2408 2420 7ffd9b870c09-7ffd9b870c2b call 7ffd9b870598 2418->2420 2419->2418 2423 7ffd9b870c2d-7ffd9b870c32 2420->2423 2424 7ffd9b870c3c-7ffd9b870c50 2420->2424 2423->2424 2424->2408 2425 7ffd9b870c56-7ffd9b870c7d call 7ffd9b870578 2424->2425 2428 7ffd9b870c82-7ffd9b870c8d 2425->2428 2429 7ffd9b870c8f-7ffd9b870c94 2428->2429 2430 7ffd9b870c9e-7ffd9b870cae 2428->2430 2429->2430 2430->2408 2431 7ffd9b870cb4-7ffd9b870ceb call 7ffd9b870578 2430->2431 2435 7ffd9b870ced-7ffd9b870cf2 2431->2435 2436 7ffd9b870cfc-7ffd9b870d08 2431->2436 2435->2436 2436->2408 2437 7ffd9b870d0e-7ffd9b870d68 call 7ffd9b870578 2436->2437 2444 7ffd9b870d79-7ffd9b870d89 2437->2444 2445 7ffd9b870d6a-7ffd9b870d6f 2437->2445 2444->2408 2446 7ffd9b870d8f-7ffd9b870dc6 call 7ffd9b870578 2444->2446 2445->2444 2450 7ffd9b870dd7-7ffd9b870de7 2446->2450 2451 7ffd9b870dc8-7ffd9b870dcd 2446->2451 2450->2408 2452 7ffd9b870de9-7ffd9b870e27 call 7ffd9b870578 2450->2452 2451->2450
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 06be578abf0020567c74e95292d1e54cbe242639e7282e1e226786b261112bf3
                                      • Instruction ID: 89377dc283f96063e5efe3348a71032ceca4e505f12c8c4b0f25ec5a1ed399d5
                                      • Opcode Fuzzy Hash: 06be578abf0020567c74e95292d1e54cbe242639e7282e1e226786b261112bf3
                                      • Instruction Fuzzy Hash: 9C12A331B18A4D8FEB98EB98C8A5AB973D1FF98704F11017AD01DC72D6DE24AC42C740
                                      Function 00007FFD9B87C6D9 Relevance: .5, Instructions: 521COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a08d9dc8b9ed4342a83adbdfdf1ed50ff421083dfd78d7702ded82dfd88a6826
                                      • Instruction ID: 8d846fa91ece3c46f582788383369274e9639b63821275305c4e7159b5bf8c8e
                                      • Opcode Fuzzy Hash: a08d9dc8b9ed4342a83adbdfdf1ed50ff421083dfd78d7702ded82dfd88a6826
                                      • Instruction Fuzzy Hash: CDF17B3160DB4A4FE369CB6884A9175B7D2FF98305F15467ED0C6C72B1DE28A942CB80
                                      Function 00007FFD9B8750F1 Relevance: .3, Instructions: 300COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 47a585e706b4015dd90f7f7d270b82bce7f047ad461ef0b66668000e64f73d9a
                                      • Instruction ID: bcfed687caacbeba418d5cf8b82d807620397ee056a54ed5db4701e596ee9d5b
                                      • Opcode Fuzzy Hash: 47a585e706b4015dd90f7f7d270b82bce7f047ad461ef0b66668000e64f73d9a
                                      • Instruction Fuzzy Hash: 48812A31B1DA4E4FD76CEF6894A54B973E1FF99304B00057EE44BC3192ED24F9428681
                                      Function 00007FFD9B88576F Relevance: .2, Instructions: 171COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 05e926ff246ed762e6aef1de48db8d24e2969f145f4fafba066858a02a15c861
                                      • Instruction ID: 6f769d09ba27eb75bab8fceac8b3dde76d550dff5b9332ffef7ab029dec80759
                                      • Opcode Fuzzy Hash: 05e926ff246ed762e6aef1de48db8d24e2969f145f4fafba066858a02a15c861
                                      • Instruction Fuzzy Hash: 28415A31A0E78D4FD31E9B3888610F57BA1DB47220B1582BFD486C71B7DD2868478392
                                      Function 00007FFD9B8857BC Relevance: .1, Instructions: 146COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d54d732b3ccabd63331b870cbab5d1cf0ef7293d2648d3e9fba2e78624bb34c6
                                      • Instruction ID: ba1712b3026dd14631ff3647dc3028c1173e02d948bed2756698afc9e260b747
                                      • Opcode Fuzzy Hash: d54d732b3ccabd63331b870cbab5d1cf0ef7293d2648d3e9fba2e78624bb34c6
                                      • Instruction Fuzzy Hash: 05415831A0E78D0FC71F9B7488614A67FA5DB87310B1682BFD496CB1E7DC28580683D2
                                      Function 00007FFD9B87381A Relevance: 1.6, APIs: 1, Instructions: 141memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 679 7ffd9b87381a-7ffd9b873827 680 7ffd9b873832-7ffd9b873843 679->680 681 7ffd9b873829-7ffd9b873831 679->681 682 7ffd9b87384e-7ffd9b873909 VirtualProtect 680->682 683 7ffd9b873845-7ffd9b87384d 680->683 681->680 687 7ffd9b873911-7ffd9b873942 682->687 688 7ffd9b87390b 682->688 683->682 688->687
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 354a0276f33f73b5524aac9f6449ef914a29663517e655a33c1186b5c804d087
                                      • Instruction ID: e85c9b9c7711e3f300ac95bd4929d283d47680ae72596b12dd48de4d7c76c9a4
                                      • Opcode Fuzzy Hash: 354a0276f33f73b5524aac9f6449ef914a29663517e655a33c1186b5c804d087
                                      • Instruction Fuzzy Hash: DF41083190C7884FDB1D9BA898566E97FE0EF56321F0443AFD099D3293DB786806C792
                                      Function 00007FFD9B870E65 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 690 7ffd9b870e65-7ffd9b870e87 691 7ffd9b870e90-7ffd9b870e9a 690->691 692 7ffd9b870e89 690->692 693 7ffd9b870e9c-7ffd9b870f1c FreeConsole 691->693 694 7ffd9b870e37-7ffd9b870e61 691->694 692->691 698 7ffd9b870f24-7ffd9b870f4b 693->698 699 7ffd9b870f1e 693->699 699->698
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID: ConsoleFree
                                      • String ID:
                                      • API String ID: 771614528-0
                                      • Opcode ID: 290d39a4e2b422f06df59d6ed4318d461624535da38227acf89a784d7d2f544f
                                      • Instruction ID: c0da18a7963369065eb4273d0c6ab0b16498e99c8c8c8d5d1b607d66a97f5b9f
                                      • Opcode Fuzzy Hash: 290d39a4e2b422f06df59d6ed4318d461624535da38227acf89a784d7d2f544f
                                      • Instruction Fuzzy Hash: F341073150D78C8FDB16DB68D845AE97FF0EF56320F0441AFD089C71A3D6656549CB42
                                      Function 00007FFD9B9410C9 Relevance: .1, Instructions: 147COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892724843.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b940000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6450ecd11dee795d36541b5ea6e6c83e1365cbbe1d0ebdae83c6042d8d038274
                                      • Instruction ID: 023d52732767cbecd5c661938e1d7ed9502303e3a5eceeeef4b3bc177c4dc1bc
                                      • Opcode Fuzzy Hash: 6450ecd11dee795d36541b5ea6e6c83e1365cbbe1d0ebdae83c6042d8d038274
                                      • Instruction Fuzzy Hash: 04416831A0EAAD4FDB66DF54C8A04E87FB1FF56304B0642EBD449CB1A3DA24A941C340

                                      Non-executed Functions

                                      Function 00007FFD9B8711F2 Relevance: .1, Instructions: 125COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1892442479.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_NoERE2024000013833.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33f564ab55fd22f2a152967b851cd23da9bbc9611464877ae6251fd69e3f163b
                                      • Instruction ID: fd0ae6af8376d301c17708d59543eebaedec8be07bde31ac967b3e8f817679bf
                                      • Opcode Fuzzy Hash: 33f564ab55fd22f2a152967b851cd23da9bbc9611464877ae6251fd69e3f163b
                                      • Instruction Fuzzy Hash: 7D31E767B0C4329DA70EBBBDBD598E97704DF8533930545BBD1D9CF093A944208B86E4

                                      Execution Graph

                                      Execution Coverage:10.8%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:456
                                      Total number of Limit Nodes:45
                                      execution_graph 52229 2afba6f 52232 2afb82c 52229->52232 52233 2afb837 52232->52233 52236 2afcc30 52233->52236 52234 2afba7c 52237 2afcc36 GetCurrentThreadId 52236->52237 52239 2afccd5 52237->52239 52239->52234 52240 674a9f0 52242 674aa00 52240->52242 52241 674aa05 52242->52241 52246 11539c0 52242->52246 52251 11539af 52242->52251 52243 674aa41 52248 11539dc 52246->52248 52247 1153aec 52247->52243 52248->52247 52249 62c3968 GlobalMemoryStatusEx 52248->52249 52250 62c3978 GlobalMemoryStatusEx 52248->52250 52249->52248 52250->52248 52253 11539dc 52251->52253 52252 1153aec 52252->52243 52253->52252 52254 62c3968 GlobalMemoryStatusEx 52253->52254 52255 62c3978 GlobalMemoryStatusEx 52253->52255 52254->52253 52255->52253 52256 67479f0 52257 67479f3 52256->52257 52260 6746b9c 52257->52260 52262 6746ba7 52260->52262 52264 6746cac 52262->52264 52265 6746cb7 52264->52265 52271 6747a19 52265->52271 52272 6743580 52265->52272 52268 6743580 GetFocus 52269 6747da9 52268->52269 52270 6743580 GetFocus 52269->52270 52269->52271 52270->52271 52273 674358a 52272->52273 52277 6743748 52273->52277 52281 6743739 52273->52281 52274 67435be 52274->52268 52285 67437f7 52277->52285 52298 6743808 52277->52298 52278 6743766 52278->52274 52282 6743766 52281->52282 52283 67437f7 GetFocus 52281->52283 52284 6743808 GetFocus 52281->52284 52282->52274 52283->52282 52284->52282 52286 67437ef 52285->52286 52288 6743802 52285->52288 52286->52278 52287 6743895 52287->52278 52288->52287 52290 6743baf 52288->52290 52310 6743920 GetFocus 52288->52310 52292 6743d02 52290->52292 52293 6743daf 52290->52293 52311 6741cd4 GetFocus 52290->52311 52292->52278 52293->52292 52294 6743580 GetFocus 52293->52294 52295 6743fd8 52294->52295 52296 6743580 GetFocus 52295->52296 52297 6743ffc 52295->52297 52296->52297 52299 6743840 52298->52299 52301 6743895 52299->52301 52302 6743baf 52299->52302 52312 6743920 GetFocus 52299->52312 52301->52278 52304 6743d02 52302->52304 52305 6743daf 52302->52305 52313 6741cd4 GetFocus 52302->52313 52304->52278 52305->52304 52306 6743580 GetFocus 52305->52306 52307 6743fd8 52306->52307 52308 6743580 GetFocus 52307->52308 52309 6743ffc 52307->52309 52308->52309 52310->52290 52311->52293 52312->52302 52313->52305 52318 62cec08 52319 62cec4c SetWindowsHookExA 52318->52319 52321 62cec92 52319->52321 52779 674a840 DispatchMessageW 52780 674a8ac 52779->52780 52322 2af0848 52324 2af084e 52322->52324 52323 2af091b 52324->52323 52329 2af14d7 52324->52329 52340 2af15f0 52324->52340 52352 62cf298 52324->52352 52356 62cf287 52324->52356 52330 2af14ee 52329->52330 52331 2af15e8 52330->52331 52335 2af15f0 8 API calls 52330->52335 52360 2af7042 52330->52360 52364 2af70e0 52330->52364 52368 62c8f92 52330->52368 52372 62c8fa0 52330->52372 52376 2afda90 52330->52376 52383 2afd968 52330->52383 52387 2afd978 52330->52387 52331->52324 52335->52330 52342 2af14ee 52340->52342 52343 2af15f7 52340->52343 52341 2af15e8 52341->52324 52342->52341 52344 2af7042 6 API calls 52342->52344 52345 2af70e0 6 API calls 52342->52345 52346 2afd968 GlobalMemoryStatusEx 52342->52346 52347 2afd978 GlobalMemoryStatusEx 52342->52347 52348 2afda90 GlobalMemoryStatusEx 52342->52348 52349 2af15f0 8 API calls 52342->52349 52350 62c8fa0 KiUserCallbackDispatcher 52342->52350 52351 62c8f92 KiUserCallbackDispatcher 52342->52351 52343->52324 52344->52342 52345->52342 52346->52342 52347->52342 52348->52342 52349->52342 52350->52342 52351->52342 52353 62cf2a7 52352->52353 52458 62cdd68 52353->52458 52357 62cf298 52356->52357 52358 62cdd68 4 API calls 52357->52358 52359 62cf2c7 52358->52359 52359->52324 52361 2af7068 52360->52361 52362 2af70ac 52361->52362 52391 2af9d94 52361->52391 52362->52330 52365 2af70ea 52364->52365 52366 2af717f 52365->52366 52367 2af9d94 6 API calls 52365->52367 52366->52330 52367->52365 52370 62c8f9b 52368->52370 52371 62c9063 52370->52371 52438 62c8c54 52370->52438 52371->52330 52373 62c8fb2 52372->52373 52374 62c9063 52373->52374 52375 62c8c54 KiUserCallbackDispatcher 52373->52375 52374->52330 52375->52374 52377 2afda9a 52376->52377 52378 2afdab4 52377->52378 52446 62c3968 52377->52446 52450 62c3978 52377->52450 52379 2afdafa 52378->52379 52454 62c5437 52378->52454 52379->52330 52385 2afd98e 52383->52385 52384 2afdafa 52384->52330 52385->52384 52386 62c5437 GlobalMemoryStatusEx 52385->52386 52386->52384 52389 2afd98e 52387->52389 52388 2afdafa 52388->52330 52389->52388 52390 62c5437 GlobalMemoryStatusEx 52389->52390 52390->52388 52392 2af9e03 52391->52392 52393 2af9f17 GetActiveWindow 52392->52393 52394 2af9f45 52392->52394 52395 2af9fb7 52392->52395 52393->52394 52394->52395 52399 2afa7e8 52394->52399 52403 2afa7c0 52394->52403 52407 2afa7b0 52394->52407 52395->52361 52400 2afa7f8 52399->52400 52401 2afa815 52400->52401 52411 2af9cc8 52400->52411 52401->52395 52404 2afa7c9 52403->52404 52421 2af9cb8 52404->52421 52408 2afa7c0 52407->52408 52409 2af9cb8 5 API calls 52408->52409 52410 2afa7d4 52409->52410 52410->52395 52412 2af9cd3 GetCurrentProcess 52411->52412 52414 2afae99 52412->52414 52415 2afaea0 GetCurrentThread 52412->52415 52414->52415 52416 2afaedd GetCurrentProcess 52415->52416 52417 2afaed6 52415->52417 52420 2afaf13 52416->52420 52417->52416 52418 2afaf3b GetCurrentThreadId 52419 2afaf6c 52418->52419 52419->52401 52420->52418 52422 2af9cc3 52421->52422 52425 2afb81c 52422->52425 52424 2afba32 52426 2afb827 52425->52426 52427 2afa7e8 4 API calls 52426->52427 52430 2afbb11 52426->52430 52428 2afbb2b 52427->52428 52431 2afb904 52428->52431 52430->52424 52433 2afb90f 52431->52433 52432 2afbe4b 52432->52430 52433->52432 52435 2afb920 52433->52435 52436 2afbe80 OleInitialize 52435->52436 52437 2afbee4 52436->52437 52437->52432 52439 62c8c5f 52438->52439 52441 62cc68b 52439->52441 52442 62c9df4 52439->52442 52441->52371 52443 62cc6a0 KiUserCallbackDispatcher 52442->52443 52445 62cc70e 52443->52445 52445->52439 52448 62c398d 52446->52448 52447 62c3ba2 52447->52378 52448->52447 52449 62c3f91 GlobalMemoryStatusEx 52448->52449 52449->52448 52452 62c398d 52450->52452 52451 62c3ba2 52451->52378 52452->52451 52453 62c3f91 GlobalMemoryStatusEx 52452->52453 52453->52452 52455 62c5442 52454->52455 52456 62c3978 GlobalMemoryStatusEx 52455->52456 52457 62c5449 52456->52457 52457->52379 52459 62cdd73 52458->52459 52462 62cf2e0 52459->52462 52461 62cf78d 52461->52461 52464 62cf2eb 52462->52464 52463 62cf9d8 52465 62cfa33 52463->52465 52479 6749b89 52463->52479 52464->52463 52464->52465 52469 6740dc0 52464->52469 52474 6740db2 52464->52474 52465->52461 52471 6740de1 52469->52471 52470 6740e05 52470->52463 52471->52470 52483 6740f70 52471->52483 52488 6740f6a 52471->52488 52475 6740dbd 52474->52475 52476 6740e05 52475->52476 52477 6740f70 3 API calls 52475->52477 52478 6740f6a 3 API calls 52475->52478 52476->52463 52477->52476 52478->52476 52481 6749bb9 52479->52481 52480 6749f98 WaitMessage 52480->52481 52481->52480 52482 6749c44 52481->52482 52484 6740f7d 52483->52484 52485 6740fb6 52484->52485 52493 6740fd8 52484->52493 52499 6740fc8 52484->52499 52485->52470 52489 6740f70 52488->52489 52490 6740fb6 52489->52490 52491 6740fd8 3 API calls 52489->52491 52492 6740fc8 3 API calls 52489->52492 52490->52470 52491->52490 52492->52490 52494 6741000 52493->52494 52495 6741028 52494->52495 52505 67410d4 52494->52505 52517 6741088 52494->52517 52528 6741070 52494->52528 52500 6741000 52499->52500 52501 6741028 52500->52501 52502 67410d4 3 API calls 52500->52502 52503 6741070 3 API calls 52500->52503 52504 6741088 3 API calls 52500->52504 52501->52501 52502->52501 52503->52501 52504->52501 52506 6741092 52505->52506 52507 67410e2 52505->52507 52539 6741e78 52506->52539 52547 6741e88 52506->52547 52508 6741097 52555 6745878 52508->52555 52560 6745875 52508->52560 52509 67410c7 52565 6745a67 52509->52565 52571 6745a70 52509->52571 52510 67410d1 52510->52495 52518 6741092 52517->52518 52524 6741e78 3 API calls 52518->52524 52525 6741e88 3 API calls 52518->52525 52519 6741097 52526 6745875 GetFocus 52519->52526 52527 6745878 GetFocus 52519->52527 52520 67410c7 52522 6745a67 2 API calls 52520->52522 52523 6745a70 2 API calls 52520->52523 52521 67410d1 52521->52495 52522->52521 52523->52521 52524->52519 52525->52519 52526->52520 52527->52520 52529 6741088 52528->52529 52537 6741e78 3 API calls 52529->52537 52538 6741e88 3 API calls 52529->52538 52530 6741097 52533 6745875 GetFocus 52530->52533 52534 6745878 GetFocus 52530->52534 52531 67410c7 52535 6745a67 2 API calls 52531->52535 52536 6745a70 2 API calls 52531->52536 52532 67410d1 52532->52495 52533->52531 52534->52531 52535->52532 52536->52532 52537->52530 52538->52530 52540 6741e83 52539->52540 52544 6743580 GetFocus 52540->52544 52577 6743573 52540->52577 52582 67435db 52540->52582 52541 6742118 52542 6742190 52541->52542 52543 6740dc0 3 API calls 52541->52543 52542->52508 52543->52542 52544->52541 52548 6741eae 52547->52548 52552 6743580 GetFocus 52548->52552 52553 6743573 GetFocus 52548->52553 52554 67435db GetFocus 52548->52554 52549 6742190 52549->52508 52550 6740dc0 3 API calls 52550->52549 52551 6742118 52551->52549 52551->52550 52552->52551 52553->52551 52554->52551 52556 674589f 52555->52556 52587 6744c78 52555->52587 52558 6743808 GetFocus 52556->52558 52559 67458b9 52558->52559 52559->52509 52561 6744c78 GetFocus 52560->52561 52562 674589f 52561->52562 52563 6743808 GetFocus 52562->52563 52564 67458b9 52563->52564 52564->52509 52567 6745aed 52565->52567 52568 6745aa1 52565->52568 52566 6745aad 52566->52510 52567->52510 52568->52566 52593 6745ce8 52568->52593 52596 6745cd8 52568->52596 52573 6745aed 52571->52573 52574 6745aa1 52571->52574 52572 6745aad 52572->52510 52573->52510 52574->52572 52575 6745ce8 2 API calls 52574->52575 52576 6745cd8 2 API calls 52574->52576 52575->52573 52576->52573 52578 6743580 52577->52578 52580 6743748 GetFocus 52578->52580 52581 6743739 GetFocus 52578->52581 52579 67435be 52579->52541 52580->52579 52581->52579 52583 67435ad 52582->52583 52584 67435be 52583->52584 52585 6743748 GetFocus 52583->52585 52586 6743739 GetFocus 52583->52586 52584->52541 52585->52584 52586->52584 52589 6744c83 52587->52589 52588 6745a11 52588->52556 52589->52588 52590 6743808 GetFocus 52589->52590 52591 674598f 52590->52591 52591->52588 52592 6744c78 GetFocus 52591->52592 52592->52591 52600 6745d1a 52593->52600 52594 6745cf2 52594->52567 52597 6745ce8 52596->52597 52599 6745d1a 2 API calls 52597->52599 52598 6745cf2 52598->52567 52599->52598 52601 6745d39 52600->52601 52603 6745d54 52600->52603 52605 62cab18 GetModuleHandleW 52601->52605 52606 62cab20 GetModuleHandleW 52601->52606 52602 6745d44 52602->52603 52604 6745d1a GetModuleHandleW GetModuleHandleW 52602->52604 52603->52594 52604->52603 52605->52602 52606->52602 52607 29cd0f0 52608 29cd108 52607->52608 52609 29cd162 52608->52609 52614 62cb408 52608->52614 52618 62cc0d1 52608->52618 52630 62cb3f7 52608->52630 52634 62c9c84 52608->52634 52615 62cb42e 52614->52615 52616 62c9c84 4 API calls 52615->52616 52617 62cb44f 52616->52617 52617->52609 52619 62cc0e0 52618->52619 52620 62cc141 52619->52620 52622 62cc131 52619->52622 52623 62cc13f 52620->52623 52685 62c9d9c 52620->52685 52646 67465a4 52622->52646 52652 62cc268 52622->52652 52659 67464c9 52622->52659 52664 67464d8 52622->52664 52669 674657f 52622->52669 52678 62cc258 52622->52678 52631 62cb408 52630->52631 52632 62c9c84 4 API calls 52631->52632 52633 62cb44f 52632->52633 52633->52609 52635 62c9c8f 52634->52635 52636 62cc141 52635->52636 52638 62cc131 52635->52638 52637 62c9d9c 4 API calls 52636->52637 52639 62cc13f 52636->52639 52637->52639 52640 67465a4 4 API calls 52638->52640 52641 62cc268 4 API calls 52638->52641 52642 62cc258 4 API calls 52638->52642 52643 674657f 4 API calls 52638->52643 52644 67464d8 4 API calls 52638->52644 52645 67464c9 4 API calls 52638->52645 52639->52639 52640->52639 52641->52639 52642->52639 52643->52639 52644->52639 52645->52639 52647 67465b2 52646->52647 52648 6746562 52646->52648 52651 674657f 4 API calls 52648->52651 52692 6746590 52648->52692 52649 6746578 52649->52623 52651->52649 52654 62cc276 52652->52654 52653 62c9d9c 4 API calls 52653->52654 52654->52653 52655 62cc34e 52654->52655 52714 62ccb30 52654->52714 52719 62ccb40 52654->52719 52724 62ccabf 52654->52724 52655->52623 52661 67464d8 52659->52661 52660 6746578 52660->52623 52662 6746590 4 API calls 52661->52662 52663 674657f 4 API calls 52661->52663 52662->52660 52663->52660 52666 67464ec 52664->52666 52665 6746578 52665->52623 52667 6746590 4 API calls 52666->52667 52668 674657f 4 API calls 52666->52668 52667->52665 52668->52665 52670 674658e 52669->52670 52671 674658a 52669->52671 52676 67479d0 4 API calls 52670->52676 52677 67465a1 52670->52677 52671->52670 52672 6746510 52671->52672 52674 6746590 4 API calls 52672->52674 52675 674657f 4 API calls 52672->52675 52673 6746578 52673->52623 52674->52673 52675->52673 52676->52677 52677->52623 52680 62cc268 52678->52680 52679 62c9d9c 4 API calls 52679->52680 52680->52679 52681 62cc34e 52680->52681 52682 62ccabf OleGetClipboard 52680->52682 52683 62ccb30 OleGetClipboard 52680->52683 52684 62ccb40 OleGetClipboard 52680->52684 52681->52623 52682->52680 52683->52680 52684->52680 52686 62c9da7 52685->52686 52687 62cc3aa 52686->52687 52688 62cc454 52686->52688 52690 62cc402 CallWindowProcW 52687->52690 52691 62cc3b1 52687->52691 52689 62c9c84 3 API calls 52688->52689 52689->52691 52690->52691 52691->52623 52693 67465a1 52692->52693 52695 67479d0 52692->52695 52693->52649 52697 62c9d9c 4 API calls 52695->52697 52700 62cc358 52695->52700 52707 62c9d6f 52695->52707 52696 67479da 52696->52693 52697->52696 52701 62cc365 52700->52701 52702 62cc3aa 52701->52702 52703 62cc454 52701->52703 52705 62cc402 CallWindowProcW 52702->52705 52706 62cc3b1 52702->52706 52704 62c9c84 3 API calls 52703->52704 52704->52706 52705->52706 52706->52696 52708 62c9d85 52707->52708 52709 62cc3aa 52708->52709 52710 62cc454 52708->52710 52712 62cc402 CallWindowProcW 52709->52712 52713 62cc3b1 52709->52713 52711 62c9c84 3 API calls 52710->52711 52711->52713 52712->52713 52713->52696 52715 62ccb5f 52714->52715 52716 62ccc07 52715->52716 52729 62ccce8 52715->52729 52735 62cccf8 52715->52735 52716->52654 52720 62ccb5f 52719->52720 52721 62ccc07 52720->52721 52722 62ccce8 OleGetClipboard 52720->52722 52723 62cccf8 OleGetClipboard 52720->52723 52721->52654 52722->52720 52723->52720 52725 62ccad5 52724->52725 52726 62ccada 52725->52726 52727 62ccce8 OleGetClipboard 52725->52727 52728 62cccf8 OleGetClipboard 52725->52728 52726->52654 52727->52725 52728->52725 52731 62cccf8 52729->52731 52730 62ccd14 52730->52715 52731->52730 52741 62ccd30 52731->52741 52752 62ccd40 52731->52752 52732 62ccd29 52732->52715 52737 62ccd00 52735->52737 52736 62ccd14 52736->52715 52737->52736 52739 62ccd30 OleGetClipboard 52737->52739 52740 62ccd40 OleGetClipboard 52737->52740 52738 62ccd29 52738->52715 52739->52738 52740->52738 52742 62ccd40 52741->52742 52743 62ccd6d 52742->52743 52745 62ccdb1 52742->52745 52748 62ccd30 OleGetClipboard 52743->52748 52749 62ccd40 OleGetClipboard 52743->52749 52744 62ccd73 52744->52732 52747 62cce31 52745->52747 52763 62ccf08 52745->52763 52767 62ccf18 52745->52767 52746 62cce4f 52746->52732 52747->52732 52748->52744 52749->52744 52753 62ccd52 52752->52753 52754 62ccd6d 52753->52754 52756 62ccdb1 52753->52756 52759 62ccd30 OleGetClipboard 52754->52759 52760 62ccd40 OleGetClipboard 52754->52760 52755 62ccd73 52755->52732 52758 62cce31 52756->52758 52761 62ccf08 OleGetClipboard 52756->52761 52762 62ccf18 OleGetClipboard 52756->52762 52757 62cce4f 52757->52732 52758->52732 52759->52755 52760->52755 52761->52757 52762->52757 52765 62ccf18 52763->52765 52766 62ccf53 52765->52766 52771 62cc9ac 52765->52771 52766->52746 52769 62ccf2d 52767->52769 52768 62cc9ac OleGetClipboard 52768->52769 52769->52768 52770 62ccf53 52769->52770 52770->52746 52772 62ccfc0 OleGetClipboard 52771->52772 52774 62cd05a 52772->52774 52781 62cb250 52782 62cb2b8 CreateWindowExW 52781->52782 52784 62cb374 52782->52784 52314 2afcd30 52315 2afcd7e EnumThreadWindows 52314->52315 52316 2afcd74 52314->52316 52317 2afcdb0 52315->52317 52316->52315 52775 2afd4c0 52776 2afd505 MessageBoxW 52775->52776 52778 2afd54c 52776->52778 52785 2afb050 DuplicateHandle 52786 2afb0e6 52785->52786

                                      Executed Functions

                                      Function 06286E50 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 128 6286e50-6286e71 129 6286e73-6286e76 128->129 130 6286e7c-6286e9b 129->130 131 6287617-628761a 129->131 142 6286e9d-6286ea0 130->142 143 6286eb4-6286ebe 130->143 132 628761c-628763b 131->132 133 6287640-6287642 131->133 132->133 134 6287649-628764c 133->134 135 6287644 133->135 134->129 138 6287652-628765b 134->138 135->134 142->143 144 6286ea2-6286eb2 142->144 147 6286ec4-6286ed3 143->147 144->147 255 6286ed5 call 6287668 147->255 256 6286ed5 call 6287670 147->256 148 6286eda-6286edf 149 6286eec-62871c9 148->149 150 6286ee1-6286ee7 148->150 171 6287609-6287616 149->171 172 62871cf-628727e 149->172 150->138 181 6287280-62872a5 172->181 182 62872a7 172->182 184 62872b0-62872c3 181->184 182->184 186 62872c9-62872eb 184->186 187 62875f0-62875fc 184->187 186->187 190 62872f1-62872fb 186->190 187->172 188 6287602 187->188 188->171 190->187 191 6287301-628730c 190->191 191->187 192 6287312-62873e8 191->192 204 62873ea-62873ec 192->204 205 62873f6-6287426 192->205 204->205 209 6287428-628742a 205->209 210 6287434-6287440 205->210 209->210 211 62874a0-62874a4 210->211 212 6287442-6287446 210->212 213 62874aa-62874e6 211->213 214 62875e1-62875ea 211->214 212->211 215 6287448-6287472 212->215 226 62874e8-62874ea 213->226 227 62874f4-6287502 213->227 214->187 214->192 222 6287480-628749d 215->222 223 6287474-6287476 215->223 222->211 223->222 226->227 229 6287519-6287524 227->229 230 6287504-628750f 227->230 234 628753c-628754d 229->234 235 6287526-628752c 229->235 230->229 233 6287511 230->233 233->229 239 628754f-6287555 234->239 240 6287565-6287571 234->240 236 628752e 235->236 237 6287530-6287532 235->237 236->234 237->234 241 6287559-628755b 239->241 242 6287557 239->242 244 6287589-62875da 240->244 245 6287573-6287579 240->245 241->240 242->240 244->214 246 628757b 245->246 247 628757d-628757f 245->247 246->244 247->244 255->148 256->148
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                      • API String ID: 0-2392861976
                                      • Opcode ID: 85dd5b36506c049bb6c7b9f795baf01dcd60fd4a1b153a55bba005a1a53d07b1
                                      • Instruction ID: 97391c684188c0b44469614b116dee7f9f2f8b729f1d16ae136e3f87facd5af2
                                      • Opcode Fuzzy Hash: 85dd5b36506c049bb6c7b9f795baf01dcd60fd4a1b153a55bba005a1a53d07b1
                                      • Instruction Fuzzy Hash: 70322F31E1071A8FCB14EF79C95459DB7B2FFC9300F2486A9D409AB264EF70A985CB81
                                      Function 0628BF38 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1035 628bf38-628bf56 1036 628bf58-628bf5b 1035->1036 1037 628bf7c-628bf7f 1036->1037 1038 628bf5d-628bf77 1036->1038 1039 628bf8c-628bf8f 1037->1039 1040 628bf81-628bf8b 1037->1040 1038->1037 1042 628bf91-628bfad 1039->1042 1043 628bfb2-628bfb5 1039->1043 1042->1043 1044 628bfcc-628bfce 1043->1044 1045 628bfb7-628bfc5 1043->1045 1046 628bfd0 1044->1046 1047 628bfd5-628bfd8 1044->1047 1051 628bfde-628bff4 1045->1051 1052 628bfc7 1045->1052 1046->1047 1047->1036 1047->1051 1055 628bffa-628c003 1051->1055 1056 628c20f-628c219 1051->1056 1052->1044 1057 628c009-628c026 1055->1057 1058 628c21a-628c24f 1055->1058 1063 628c1fc-628c209 1057->1063 1064 628c02c-628c054 1057->1064 1065 628c251-628c254 1058->1065 1063->1055 1063->1056 1064->1063 1080 628c05a-628c063 1064->1080 1066 628c256-628c272 1065->1066 1067 628c277-628c27a 1065->1067 1066->1067 1069 628c280-628c28c 1067->1069 1070 628c327-628c32a 1067->1070 1077 628c297-628c299 1069->1077 1071 628c55f-628c561 1070->1071 1072 628c330-628c33f 1070->1072 1074 628c568-628c56b 1071->1074 1075 628c563 1071->1075 1089 628c35e-628c3a2 1072->1089 1090 628c341-628c35c 1072->1090 1074->1065 1078 628c571-628c57a 1074->1078 1075->1074 1082 628c29b-628c2a1 1077->1082 1083 628c2b1-628c2b5 1077->1083 1080->1058 1091 628c069-628c085 1080->1091 1084 628c2a3 1082->1084 1085 628c2a5-628c2a7 1082->1085 1086 628c2c3 1083->1086 1087 628c2b7-628c2c1 1083->1087 1084->1083 1085->1083 1092 628c2c8-628c2ca 1086->1092 1087->1092 1100 628c3a8-628c3b9 1089->1100 1101 628c533-628c549 1089->1101 1090->1089 1098 628c1ea-628c1f6 1091->1098 1099 628c08b-628c0b5 call 6288388 1091->1099 1093 628c2cc-628c2cf 1092->1093 1094 628c2e1-628c31a 1092->1094 1093->1078 1094->1072 1121 628c31c-628c326 1094->1121 1098->1063 1098->1080 1118 628c0bb-628c0e3 1099->1118 1119 628c1e0-628c1e5 1099->1119 1107 628c51e-628c52d 1100->1107 1108 628c3bf-628c3dc 1100->1108 1101->1071 1107->1100 1107->1101 1108->1107 1122 628c3e2-628c4d8 call 628a758 1108->1122 1118->1119 1127 628c0e9-628c117 1118->1127 1119->1098 1171 628c4da-628c4e4 1122->1171 1172 628c4e6 1122->1172 1127->1119 1133 628c11d-628c126 1127->1133 1133->1119 1135 628c12c-628c15e 1133->1135 1142 628c169-628c185 1135->1142 1143 628c160-628c164 1135->1143 1142->1098 1145 628c187-628c1de call 628a758 1142->1145 1143->1119 1144 628c166 1143->1144 1144->1142 1145->1098 1173 628c4eb-628c4ed 1171->1173 1172->1173 1173->1107 1174 628c4ef-628c4f4 1173->1174 1175 628c502 1174->1175 1176 628c4f6-628c500 1174->1176 1177 628c507-628c509 1175->1177 1176->1177 1177->1107 1178 628c50b-628c517 1177->1178 1178->1107
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q
                                      • API String ID: 0-355816377
                                      • Opcode ID: 1fa3dfd7fc82c295b2f1d71dfa554c6f91cb72c1a557f505957f464e6372985a
                                      • Instruction ID: 1a452e0b8842b77f0657f89665c6be19fcef5785fcf3c1bcef231df7b29cd736
                                      • Opcode Fuzzy Hash: 1fa3dfd7fc82c295b2f1d71dfa554c6f91cb72c1a557f505957f464e6372985a
                                      • Instruction Fuzzy Hash: FC02C130B112069FDB54EB74D9946AEB7F2EF84310F148569D806EB394DB34EC86CB91
                                      Function 062807F8 Relevance: 2.8, Instructions: 2825COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6b9a4fd2142cee471a11f6e0b3540713a05e892a68137f8baa6f39a4eefd501b
                                      • Instruction ID: cc0af719ba7d80a6c0f318905053b6ef3003a5431785d1fece8ae2be503cac76
                                      • Opcode Fuzzy Hash: 6b9a4fd2142cee471a11f6e0b3540713a05e892a68137f8baa6f39a4eefd501b
                                      • Instruction Fuzzy Hash: 0853F831C10B1A8EDB51EF68C880599F7B1FF99300F15D79AE4587B221EB70AAD5CB81
                                      Function 06283B38 Relevance: 2.2, Instructions: 2221COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 70e2fa05df0ef549aa3b9eef8584a2d1a7a399a77033f70027c491400fb1bd50
                                      • Instruction ID: 17e1edfac8d16067581e9bfb8a7507a018977a843dbb4de9c16e4231e23da6b1
                                      • Opcode Fuzzy Hash: 70e2fa05df0ef549aa3b9eef8584a2d1a7a399a77033f70027c491400fb1bd50
                                      • Instruction Fuzzy Hash: 1C231D31D2071A8ECB51EF68C8905ADF7B1FF99300F15C69AE458B7251EB70AAC5CB81
                                      Function 06749B89 Relevance: 1.8, APIs: 1, Instructions: 329COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4132766926.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6740000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3c64c021c175431a6db70237f3836a5ec1ec80f38841177871847285ea7e4ce0
                                      • Instruction ID: 392c03c514184eabc07b7af2b0e9c9efc7346bc2bc39ee81f7846ef3a99809f3
                                      • Opcode Fuzzy Hash: 3c64c021c175431a6db70237f3836a5ec1ec80f38841177871847285ea7e4ce0
                                      • Instruction Fuzzy Hash: A2D14D30E00209CFDB54EFA5C988BAEBBF2BF84304F158555E515AB2A5DB70E945CF81
                                      Function 0628A7A8 Relevance: .8, Instructions: 812COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 77b58bf5378855f526845a737c41fbf6732bdc86344c53c83dda69bacf4b1bc7
                                      • Instruction ID: fd26ce3c802b007516722e67ca81b048805af817d7a349c134ad7ce0611f16e6
                                      • Opcode Fuzzy Hash: 77b58bf5378855f526845a737c41fbf6732bdc86344c53c83dda69bacf4b1bc7
                                      • Instruction Fuzzy Hash: A262A134B112059FDB54EB68D9847ADB7F2EF84310F14846AE80AEB394DB75EC42CB90
                                      Function 0628F3EF Relevance: .6, Instructions: 563COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aca10cf0ad40e845fcb3bd1e97dfe82db88a0eecaa52ce1e8277c502975c9856
                                      • Instruction ID: 7f0e5bfea7f1d4fc4652391f27766053aacd4c4a7ebf9d6e43db16d9b0f475fc
                                      • Opcode Fuzzy Hash: aca10cf0ad40e845fcb3bd1e97dfe82db88a0eecaa52ce1e8277c502975c9856
                                      • Instruction Fuzzy Hash: A122A730E2110A9FEF64EB68CA907ADB7B2EB88350F248525D819EB3D5D735DC81CB51
                                      Function 0628EE98 Relevance: 10.4, Strings: 8, Instructions: 393COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 628ee98-628eeb6 1 628eeb8-628eebb 0->1 2 628eebd-628eec2 1->2 3 628eec5-628eec8 1->3 2->3 4 628eed8-628eedb 3->4 5 628eeca-628eed3 3->5 6 628eedd-628eeea call 628835c 4->6 7 628eeef-628eef2 4->7 5->4 6->7 9 628ef0c-628ef0f 7->9 10 628eef4-628ef07 7->10 11 628ef29-628ef2c 9->11 12 628ef11-628ef1a 9->12 10->9 16 628ef32-628ef35 11->16 17 628f0b5-628f0be 11->17 14 628f0cf-628f0d9 12->14 15 628ef20-628ef24 12->15 26 628f0db-628f0e1 14->26 27 628f100-628f106 14->27 15->11 20 628ef46-628ef49 16->20 21 628ef37-628ef3b 16->21 17->12 19 628f0c4-628f0ce 17->19 23 628ef4b-628ef67 20->23 24 628ef6c-628ef6e 20->24 21->19 22 628ef41 21->22 22->20 23->24 28 628ef70 24->28 29 628ef75-628ef78 24->29 32 628f108-628f10b 26->32 33 628f0e3-628f0ff 26->33 27->32 28->29 29->1 30 628ef7e-628efa2 29->30 51 628efa8-628efb7 30->51 52 628f0b2 30->52 34 628f111-628f14c 32->34 35 628f374-628f377 32->35 33->27 43 628f33f-628f352 34->43 44 628f152-628f15e 34->44 37 628f379 call 628f3ef 35->37 38 628f386-628f389 35->38 46 628f37f-628f381 37->46 41 628f39a-628f39d 38->41 42 628f38b-628f38f 38->42 48 628f39f-628f3bb 41->48 49 628f3c0-628f3c3 41->49 42->34 47 628f395 42->47 50 628f354 43->50 59 628f17e-628f1c2 44->59 60 628f160-628f179 44->60 46->38 47->41 48->49 53 628f3d0-628f3d2 49->53 54 628f3c5-628f3cf 49->54 50->35 64 628efb9-628efbf 51->64 65 628efcf-628f00a call 628a758 51->65 52->17 57 628f3d9-628f3dc 53->57 58 628f3d4 53->58 57->32 62 628f3e2-628f3ec 57->62 58->57 78 628f1de-628f21d 59->78 79 628f1c4-628f1d6 59->79 60->50 67 628efc1 64->67 68 628efc3-628efc5 64->68 81 628f00c-628f012 65->81 82 628f022-628f039 65->82 67->65 68->65 88 628f223-628f2fe call 628a758 78->88 89 628f304-628f319 78->89 79->78 84 628f014 81->84 85 628f016-628f018 81->85 94 628f03b-628f041 82->94 95 628f051-628f062 82->95 84->82 85->82 88->89 89->43 97 628f043 94->97 98 628f045-628f047 94->98 102 628f07a-628f0ab 95->102 103 628f064-628f06a 95->103 97->95 98->95 102->52 104 628f06c 103->104 105 628f06e-628f070 103->105 104->102 105->102
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                      • API String ID: 0-3823777903
                                      • Opcode ID: 96ba04106be6d31fe664fa98978563fef0b91245d28a60e70649f0ec3e37af42
                                      • Instruction ID: c6bd61636c66fcb8f94a558c5bdb3e4f90cce4042ee849f96ec42f8cafd7c05a
                                      • Opcode Fuzzy Hash: 96ba04106be6d31fe664fa98978563fef0b91245d28a60e70649f0ec3e37af42
                                      • Instruction Fuzzy Hash: 44E17131E2120A8FDB55EF64D9806AEB7B2FF84344F108529D809EB398DB75DC46CB91
                                      Function 0628F808 Relevance: 8.0, Strings: 6, Instructions: 472COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                      • API String ID: 0-2392861976
                                      • Opcode ID: 7d7e3d006ba90cca0e90e6e218a3da4c98567adb5297eb3ee7d6070ad8f010f1
                                      • Instruction ID: 1bf1785e43f9a04629f38d51318b8b59ba611dd607f4f3d90b1cb41440369fa1
                                      • Opcode Fuzzy Hash: 7d7e3d006ba90cca0e90e6e218a3da4c98567adb5297eb3ee7d6070ad8f010f1
                                      • Instruction Fuzzy Hash: 1F02B330E2110A9FDB64EF68DA806ADB7B2FF49350F248565D809DB395DB30DC85CB81
                                      Function 02AF9CC8 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 431 2af9cc8-2afae97 GetCurrentProcess 437 2afae99-2afae9f 431->437 438 2afaea0-2afaed4 GetCurrentThread 431->438 437->438 439 2afaedd-2afaf11 GetCurrentProcess 438->439 440 2afaed6-2afaedc 438->440 442 2afaf1a-2afaf35 call 2afafd8 439->442 443 2afaf13-2afaf19 439->443 440->439 446 2afaf3b-2afaf6a GetCurrentThreadId 442->446 443->442 447 2afaf6c-2afaf72 446->447 448 2afaf73-2afafd5 446->448 447->448
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 02AFAE86
                                      • GetCurrentThread.KERNEL32 ref: 02AFAEC3
                                      • GetCurrentProcess.KERNEL32 ref: 02AFAF00
                                      • GetCurrentThreadId.KERNEL32 ref: 02AFAF59
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: c47263bb02ffc62282cc1dcc11825e9d07984ef4c5c91b66f64b03a2c709fef0
                                      • Instruction ID: ed074de79a2573a5f1f0818613a4c9a118a8fc2610b8c27240cf4b7afe3b4bdb
                                      • Opcode Fuzzy Hash: c47263bb02ffc62282cc1dcc11825e9d07984ef4c5c91b66f64b03a2c709fef0
                                      • Instruction Fuzzy Hash: DD5167B0900209DFDB44DFA9C648BDEBBF1EF88314F208459E159A7261DB38A884CF65
                                      Function 02AFAE06 Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 455 2afae06-2afae97 GetCurrentProcess 459 2afae99-2afae9f 455->459 460 2afaea0-2afaed4 GetCurrentThread 455->460 459->460 461 2afaedd-2afaf11 GetCurrentProcess 460->461 462 2afaed6-2afaedc 460->462 464 2afaf1a-2afaf35 call 2afafd8 461->464 465 2afaf13-2afaf19 461->465 462->461 468 2afaf3b-2afaf6a GetCurrentThreadId 464->468 465->464 469 2afaf6c-2afaf72 468->469 470 2afaf73-2afafd5 468->470 469->470
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 02AFAE86
                                      • GetCurrentThread.KERNEL32 ref: 02AFAEC3
                                      • GetCurrentProcess.KERNEL32 ref: 02AFAF00
                                      • GetCurrentThreadId.KERNEL32 ref: 02AFAF59
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: bb292561390bca82ea4eae4d8e5725edf9c0a9e59723cbb1237e3cf1d76c53cd
                                      • Instruction ID: be09e349d2b9f517db9e71baf570fe1ef21c104acbf736deb486a7adbb2917fd
                                      • Opcode Fuzzy Hash: bb292561390bca82ea4eae4d8e5725edf9c0a9e59723cbb1237e3cf1d76c53cd
                                      • Instruction Fuzzy Hash: 1E5155B0900209DFDB44DFA9D648BDEBBF1EF88314F208459E159A7261DB38A984CF65
                                      Function 02AF9D94 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 329COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 477 2af9d94-2af9e22 481 2af9e28-2af9e4d 477->481 482 2afa066-2afa099 477->482 487 2af9e53-2af9e78 481->487 488 2afa0a0-2afa0d5 481->488 482->488 495 2af9e7e-2af9e8e 487->495 496 2afa0dc-2afa111 487->496 488->496 501 2afa118-2afa144 495->501 502 2af9e94-2af9e98 495->502 496->501 507 2afa14b-2afa189 501->507 503 2af9e9a-2af9ea0 502->503 504 2af9ea6-2af9eab 502->504 503->504 503->507 508 2af9ead-2af9eb3 504->508 509 2af9eb9-2af9ebf 504->509 510 2afa190-2afa1ce 507->510 508->509 508->510 512 2af9ec1-2af9ec9 509->512 513 2af9ed0-2af9ee4 509->513 546 2afa1d5-2afa25e 510->546 512->513 525 2af9eea 513->525 526 2af9ee6-2af9ee8 513->526 528 2af9eef-2af9f07 525->528 526->528 531 2af9f09-2af9f0f 528->531 532 2af9f11-2af9f15 528->532 531->532 533 2af9f64-2af9f71 531->533 534 2af9f58-2af9f61 532->534 535 2af9f17-2af9f43 GetActiveWindow 532->535 543 2af9f73-2af9f89 call 2af9aa0 533->543 544 2af9fb1 533->544 534->533 538 2af9f4c-2af9f56 535->538 539 2af9f45-2af9f4b 535->539 538->533 539->538 555 2af9f8b-2af9fa2 543->555 556 2af9fa8-2af9fae 543->556 576 2af9fb1 call 2afa7e8 544->576 577 2af9fb1 call 2afa7b0 544->577 578 2af9fb1 call 2afa7c0 544->578 573 2afa26b 546->573 574 2afa260-2afa269 546->574 548 2af9fb7-2afa00b call 2af9aac 567 2afa014 548->567 555->546 555->556 556->544 567->482 575 2afa26d-2afa273 573->575 574->575 576->548 577->548 578->548
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: ActiveWindow
                                      • String ID: Hbq$Hbq
                                      • API String ID: 2558294473-4258043069
                                      • Opcode ID: 4548750b0c33f919693dacf8b5f23405dca6142563a9360499fc5411af8845ae
                                      • Instruction ID: 4839c6945495ce090e98688aca1555f7cdca0893517bcaf271c87d4ed3984b77
                                      • Opcode Fuzzy Hash: 4548750b0c33f919693dacf8b5f23405dca6142563a9360499fc5411af8845ae
                                      • Instruction Fuzzy Hash: 3CC19E70F002459FDB54AFB8D5547AE7AEBAFC8300F248468E50AEB394DF389846CB55
                                      Function 0628D310 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 579 628d310-628d335 580 628d337-628d33a 579->580 581 628d33c-628d35b 580->581 582 628d360-628d363 580->582 581->582 583 628d369-628d37e 582->583 584 628dc23-628dc25 582->584 591 628d380-628d386 583->591 592 628d396-628d3ac 583->592 586 628dc2c-628dc2f 584->586 587 628dc27 584->587 586->580 588 628dc35-628dc3f 586->588 587->586 593 628d388 591->593 594 628d38a-628d38c 591->594 596 628d3b7-628d3b9 592->596 593->592 594->592 597 628d3bb-628d3c1 596->597 598 628d3d1-628d442 596->598 599 628d3c3 597->599 600 628d3c5-628d3c7 597->600 609 628d46e-628d48a 598->609 610 628d444-628d467 598->610 599->598 600->598 615 628d48c-628d4af 609->615 616 628d4b6-628d4d1 609->616 610->609 615->616 621 628d4fc-628d517 616->621 622 628d4d3-628d4f5 616->622 627 628d519-628d53b 621->627 628 628d542-628d54c 621->628 622->621 627->628 629 628d55c-628d5d6 628->629 630 628d54e-628d557 628->630 636 628d5d8-628d5f6 629->636 637 628d623-628d638 629->637 630->588 641 628d5f8-628d607 636->641 642 628d612-628d621 636->642 637->584 641->642 642->636 642->637
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q$$^q$$^q
                                      • API String ID: 0-2125118731
                                      • Opcode ID: a32b5cbdf1bdf483db9693d9d2b45f6134162ccc07718caea54a36001ef845af
                                      • Instruction ID: 64ec8bfc7c37932ad00357eca798039ada212443c49f080e2e34e4bdb5a0d484
                                      • Opcode Fuzzy Hash: a32b5cbdf1bdf483db9693d9d2b45f6134162ccc07718caea54a36001ef845af
                                      • Instruction Fuzzy Hash: D0913030F1121A9FDB54EB65D950BAEB3F6AFC5204F108869C809EB394EB70DC46CB95
                                      Function 01153168 Relevance: 4.1, Strings: 3, Instructions: 357COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 905 1153168-115318d 906 1153193-1153195 905->906 907 11532e2-1153306 905->907 908 115330d-1153392 906->908 909 115319b-11531a4 906->909 907->908 943 1153453 908->943 944 1153398-11533ab 908->944 911 11531b7-11531de 909->911 912 11531a6-11531b4 909->912 913 11531e4-11531f7 call 1152d34 911->913 914 1153268-115326c 911->914 912->911 913->914 931 11531f9-115324c 913->931 919 11532a3-11532bc 914->919 920 115326e-115329b call 1151d4c 914->920 925 11532c6-11532c7 919->925 926 11532be 919->926 935 11532a0 920->935 925->907 926->925 931->914 937 115324e-1153261 931->937 935->919 937->914 946 1153458-1153463 943->946 944->943 949 11533b1-11533bd 944->949 950 115346a-1153478 946->950 949->946 953 11533c3-11533ee 949->953 954 1153406-115340d 950->954 955 115347a-1153493 950->955 953->943 970 11533f0-11533fc 953->970 954->950 956 115340e-115342a 954->956 957 1153495-115349e 955->957 958 115349f-1153574 955->958 960 1153432-1153435 956->960 961 115342c-115342e 956->961 978 115357a-1153588 958->978 960->943 963 1153437-1153446 960->963 961->943 962 1153430 961->962 962->963 971 1153404 963->971 972 1153448-1153452 963->972 970->972 974 11533fe-1153401 970->974 971->954 974->971 979 1153591-11535c9 978->979 980 115358a-1153590 978->980 984 11535d9 979->984 985 11535cb-11535cf 979->985 980->979 987 11535da 984->987 985->984 986 11535d1 985->986 986->984 987->987
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (bq$(bq$(bq
                                      • API String ID: 0-2716923250
                                      • Opcode ID: 523c2509171f77f41452907e24e0498cbc717c23c96cd61c1fbf2d55d63aaaa1
                                      • Instruction ID: 9bfd8c8d2e3a459f7fb36605223495f7dfaa0b70a5105aacada14e6c3945f7b6
                                      • Opcode Fuzzy Hash: 523c2509171f77f41452907e24e0498cbc717c23c96cd61c1fbf2d55d63aaaa1
                                      • Instruction Fuzzy Hash: 1FD1AE70E00209DFCB19DFA9C85469EBFF2FF88350F148569E825AB391DB35A941CB91
                                      Function 06288958 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 988 6288958-628897c 989 628897e-6288981 988->989 990 62889a2-62889a5 989->990 991 6288983-628899d 989->991 992 62889ab-6288aa3 990->992 993 6289084-6289086 990->993 991->990 1011 6288aa9-6288af6 call 6289208 992->1011 1012 6288b26-6288b2d 992->1012 994 6289088 993->994 995 628908d-6289090 993->995 994->995 995->989 998 6289096-62890a3 995->998 1025 6288afc-6288b18 1011->1025 1013 6288bb1-6288bba 1012->1013 1014 6288b33-6288ba3 1012->1014 1013->998 1031 6288bae 1014->1031 1032 6288ba5 1014->1032 1029 6288b1a 1025->1029 1030 6288b23-6288b24 1025->1030 1029->1030 1030->1012 1031->1013 1032->1031
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: fcq$XPcq$\Ocq
                                      • API String ID: 0-3575482020
                                      • Opcode ID: 0bde7387ef37f056b2afda7838f88df671cc88303588545cb791a26dc25aea34
                                      • Instruction ID: e1d5fe1159e20044beb748c5b11a6a2e006c53385ab981f4ce08b1cc29d0852c
                                      • Opcode Fuzzy Hash: 0bde7387ef37f056b2afda7838f88df671cc88303588545cb791a26dc25aea34
                                      • Instruction Fuzzy Hash: 01615D70E102099FEB55AFA9C8547AEBAF6FFC8700F208429E505EB394DB758D41CB91
                                      Function 0628894A Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1885 628894a-6288950 1886 6288952-628897c 1885->1886 1887 62888d3-62888dc 1885->1887 1890 628897e-6288981 1886->1890 1889 62888de-62888e1 1887->1889 1891 62888e3-62888f2 1889->1891 1892 62888f7-62888fa 1889->1892 1893 62889a2-62889a5 1890->1893 1894 6288983-628899d 1890->1894 1891->1892 1896 62888fc-628890e 1892->1896 1897 6288913-6288916 1892->1897 1900 62889ab-6288aa3 1893->1900 1901 6289084-6289086 1893->1901 1894->1893 1896->1897 1898 6288918-6288928 1897->1898 1899 628892d-628892f 1897->1899 1898->1899 1903 6288931 1899->1903 1904 6288936-6288939 1899->1904 1925 6288aa9-6288af6 call 6289208 1900->1925 1926 6288b26-6288b2d 1900->1926 1905 6289088 1901->1905 1906 628908d-6289090 1901->1906 1903->1904 1904->1889 1911 628893b-6288941 1904->1911 1905->1906 1906->1890 1912 6289096-62890a3 1906->1912 1939 6288afc-6288b18 1925->1939 1927 6288bb1-6288bba 1926->1927 1928 6288b33-6288ba3 1926->1928 1927->1912 1945 6288bae 1928->1945 1946 6288ba5 1928->1946 1943 6288b1a 1939->1943 1944 6288b23-6288b24 1939->1944 1943->1944 1944->1926 1945->1927 1946->1945
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: fcq$XPcq
                                      • API String ID: 0-936005338
                                      • Opcode ID: 050566b2c6ad82b50a4b19f0012f761c2e299998b148696a9a8dbfe03a36af04
                                      • Instruction ID: f52cb07517d9fa64985faaa848501238c3ab1169b70dedb1fc6791b4bfcf8a74
                                      • Opcode Fuzzy Hash: 050566b2c6ad82b50a4b19f0012f761c2e299998b148696a9a8dbfe03a36af04
                                      • Instruction Fuzzy Hash: 8B518371F102099FDB559FA9C9547AEBAE7FFC8700F208429E509EB394DA749C01CB91
                                      Function 0628D301 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q
                                      • API String ID: 0-355816377
                                      • Opcode ID: 0b456706b2f22409fd99540fb1bb975ade3c90f8913e35d3b9d2895e65d3a9b1
                                      • Instruction ID: c62b63cc096abf934be20232e2438407aa6645e9b48d69af67123393503b8b2b
                                      • Opcode Fuzzy Hash: 0b456706b2f22409fd99540fb1bb975ade3c90f8913e35d3b9d2895e65d3a9b1
                                      • Instruction Fuzzy Hash: 12513070B11106AFDB54EB78D950BAE73F6AFC8604F108869C809DB398EB70DC46CB95
                                      Function 062C4B88 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 018ac75d167b812f966f2fd814e371e11cd8ebdc30ca1344fee86536c59db82b
                                      • Instruction ID: 26443656d492124c7702fd63db42e91c7a2ba89ba4a032d1bff660d91b971948
                                      • Opcode Fuzzy Hash: 018ac75d167b812f966f2fd814e371e11cd8ebdc30ca1344fee86536c59db82b
                                      • Instruction Fuzzy Hash: 0E414331D043968FCB10DFB9D85469ABFF0EF8A310F1586AAD848E7251DB749984CBE1
                                      Function 062CB244 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 062CB362
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 9e8edcf0646b230ee358a8f282bcd7a33ac65c71544ee7bd0f6413ffd520c562
                                      • Instruction ID: 3fd7b4ebee24e058663c4945e30776e3c3abac2f234a6aaec2502dd1ad2bd0ed
                                      • Opcode Fuzzy Hash: 9e8edcf0646b230ee358a8f282bcd7a33ac65c71544ee7bd0f6413ffd520c562
                                      • Instruction Fuzzy Hash: 7E51CEB1D10309DFDB14CFA9C885ADEBBB5FF48310F24862AE819AB210D7759885CF91
                                      Function 062CB250 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 062CB362
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 254af1520f4db99355c49858468b93369df882c5745e54a4370e642654c16382
                                      • Instruction ID: 6483dd1ef057dbf30f709a232d186214bc93fbf47dc38d01a19f7bf620b2b973
                                      • Opcode Fuzzy Hash: 254af1520f4db99355c49858468b93369df882c5745e54a4370e642654c16382
                                      • Instruction Fuzzy Hash: 9141B1B1D10349DFDB14CFA9C985ADEBBB5FF48310F24822AE819AB210D7759845CF91
                                      Function 062C9D9C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 062CC429
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: CallProcWindow
                                      • String ID:
                                      • API String ID: 2714655100-0
                                      • Opcode ID: a18ae10f897b741ac943d5dee0072b6d22c9b75d8b48b8fde33ce47158103844
                                      • Instruction ID: 9b43f7213816f1406a72d532e216417d0e6547de19525774a0e5aa6bcadac224
                                      • Opcode Fuzzy Hash: a18ae10f897b741ac943d5dee0072b6d22c9b75d8b48b8fde33ce47158103844
                                      • Instruction Fuzzy Hash: 534129B4A10305CFDB54CF99C448AAABBF5FF88324F24C55DD559AB321D774A841CBA0
                                      Function 062CCFB4 Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: Clipboard
                                      • String ID:
                                      • API String ID: 220874293-0
                                      • Opcode ID: 14eaf27d217e90e78f9785f8ff8f4f429179527c8e3a28673116ed5e500dc90a
                                      • Instruction ID: be3627b8ef07e935c8c800771103ea6ef7c320ef619cb80e991a01d24130d4fd
                                      • Opcode Fuzzy Hash: 14eaf27d217e90e78f9785f8ff8f4f429179527c8e3a28673116ed5e500dc90a
                                      • Instruction Fuzzy Hash: 143132B0D00209EFDB10DFA9C984BCEBBF5EF48314F208469E848AB294D7756886CF55
                                      Function 062CC9AC Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: Clipboard
                                      • String ID:
                                      • API String ID: 220874293-0
                                      • Opcode ID: 320d163f7116cbf27ab2a016dfcbbec25f7c980ca73921fd159e519df3027d7b
                                      • Instruction ID: 3c7b67bc718c56ff724bbc5a7098166a23942801ac0726d92c8c2362c3315b79
                                      • Opcode Fuzzy Hash: 320d163f7116cbf27ab2a016dfcbbec25f7c980ca73921fd159e519df3027d7b
                                      • Instruction Fuzzy Hash: D93105B0D11208DFDB50DF99C984B9EBBF5AF48314F208469E808BB254D7756845CB95
                                      Function 02AFCC30 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 02AFCCC2
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: CurrentThread
                                      • String ID:
                                      • API String ID: 2882836952-0
                                      • Opcode ID: d80e164faf22de97186eb6f5baddad7ed151700df5806f73345f859380fa6233
                                      • Instruction ID: 4e35edcbd1239f8c967bbb09f277c98428ba316c9e2f79b64c84e901f71bcf0c
                                      • Opcode Fuzzy Hash: d80e164faf22de97186eb6f5baddad7ed151700df5806f73345f859380fa6233
                                      • Instruction Fuzzy Hash: 593167B09002498FCB00DF99D584B9EFBF1FB48314F14855AE559AB321C739A949CFA4
                                      Function 02AFB048 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AFB0D7
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 43bf66134dea2854c479b0cd2f7f18d936516b1630038973c36ffc25dad38db4
                                      • Instruction ID: 00a7ee5ebffe01daa454772bfdc50b03f7d6eebb8f66ab047562bec825201041
                                      • Opcode Fuzzy Hash: 43bf66134dea2854c479b0cd2f7f18d936516b1630038973c36ffc25dad38db4
                                      • Instruction Fuzzy Hash: 402178B590024A9FDB10CFA9E444BEEFBF0EB48324F24815AE664A7250C338A954CF60
                                      Function 02AFB04B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AFB0D7
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 6287fb88025ec12ee314e80d2ee19518ae907a5b7a549c8834f7def7f9fd18d7
                                      • Instruction ID: e964fc396754428f4b403a8f2fdf6782fe17a7424ab15b1b552083ba9cca30f7
                                      • Opcode Fuzzy Hash: 6287fb88025ec12ee314e80d2ee19518ae907a5b7a549c8834f7def7f9fd18d7
                                      • Instruction Fuzzy Hash: 0221E4B5900208EFDB10CF9AD984ADEFBF4FB48314F14841AE958A7350C379A944CFA4
                                      Function 062CEC01 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 062CEC83
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: 85b43870be9789c22793b7e45b6cb9e524f87695dfe6db05c5f0851fae9fb930
                                      • Instruction ID: 47e082e2b63a17ec5722538000987a6cf8cd786811ea460d97412fd5b4dd046a
                                      • Opcode Fuzzy Hash: 85b43870be9789c22793b7e45b6cb9e524f87695dfe6db05c5f0851fae9fb930
                                      • Instruction Fuzzy Hash: 862134B1D002099FCB14CFAAC844BDEBBF5EB88320F10842AE459A7250C775A944CFA5
                                      Function 02AFCD28 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumThreadWindows.USER32(?,00000000,?), ref: 02AFCDA1
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: EnumThreadWindows
                                      • String ID:
                                      • API String ID: 2941952884-0
                                      • Opcode ID: f8807842b71357053aa54481a4f6ef5d46ab68b7d6b4062d10ae85a7ce68084c
                                      • Instruction ID: 4a542fd0b939cdc4767e52dc17e706ad07af15ff470fa01cddf68c3a9c98a766
                                      • Opcode Fuzzy Hash: f8807842b71357053aa54481a4f6ef5d46ab68b7d6b4062d10ae85a7ce68084c
                                      • Instruction Fuzzy Hash: 9C2158B1D002098FDB10CF9AC844BEEFBF5EB88320F14842AE558A3350C778A945CFA5
                                      Function 02AFB050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AFB0D7
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 6e888ece859ade4f90799fed0bdc3a1c97abed5ff9f7dc41b9a68bbfe205a5f2
                                      • Instruction ID: f613d76ddf030f9f3c5677116d5f89a5b5d0484238c64fdd01d6680d21621d76
                                      • Opcode Fuzzy Hash: 6e888ece859ade4f90799fed0bdc3a1c97abed5ff9f7dc41b9a68bbfe205a5f2
                                      • Instruction Fuzzy Hash: E021E4B5900208DFDB10CF9AD584ADEFBF4FB48314F14841AE958A3350C379A940CFA4
                                      Function 02AFD4B9 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxW.USER32(?,00000000,00000000,?), ref: 02AFD53D
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: Message
                                      • String ID:
                                      • API String ID: 2030045667-0
                                      • Opcode ID: 45141ad76aa5733aedebc854d5ed777fde608cbe11100b818fa72359f24816c5
                                      • Instruction ID: 3995b103f475a242652e500222acd7b32cbd552bfb136675b65ead9d2eed9d65
                                      • Opcode Fuzzy Hash: 45141ad76aa5733aedebc854d5ed777fde608cbe11100b818fa72359f24816c5
                                      • Instruction Fuzzy Hash: 7D2113B6900709DFCB11CF9AD884ADEFBB5FB48318F10852EE519A7200C779A544CFA4
                                      Function 02AFCD30 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumThreadWindows.USER32(?,00000000,?), ref: 02AFCDA1
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: EnumThreadWindows
                                      • String ID:
                                      • API String ID: 2941952884-0
                                      • Opcode ID: 279e545d675e855aae893127c81cb8a2b4ff5e8a7181ffe09f9cd055807a6b8e
                                      • Instruction ID: c65b9e7a16660a05043592382049887ef9ae34e174470d6a939946d297d6379f
                                      • Opcode Fuzzy Hash: 279e545d675e855aae893127c81cb8a2b4ff5e8a7181ffe09f9cd055807a6b8e
                                      • Instruction Fuzzy Hash: FA2136B1D002198FDB14CF9AC844BEEFBF5EB88324F14842AE558A7250D778A945CFA5
                                      Function 062CEC08 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 062CEC83
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: 4c914638480acad79e142702bad6cecec7bec87bb16d92c8722b25092549df6c
                                      • Instruction ID: 48e08a0be8f8a49d9fac0d424d710acb5d40aa12a7878f247e73b1e2f33feb28
                                      • Opcode Fuzzy Hash: 4c914638480acad79e142702bad6cecec7bec87bb16d92c8722b25092549df6c
                                      • Instruction Fuzzy Hash: EB2124B1D00209DFCB14CF9AC844BEEFBF5EB88320F10842AE459A7290C775A944CFA5
                                      Function 02AFD4C0 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxW.USER32(?,00000000,00000000,?), ref: 02AFD53D
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: Message
                                      • String ID:
                                      • API String ID: 2030045667-0
                                      • Opcode ID: ebdfa42112b2371ac78f8007ece313dce9a27b49c20e0be7e7a761868be9d4dd
                                      • Instruction ID: a6076366c8dcc3f607fd3a12a4c52d8ceee7f8851f2ab4ef8522bc4d082587e2
                                      • Opcode Fuzzy Hash: ebdfa42112b2371ac78f8007ece313dce9a27b49c20e0be7e7a761868be9d4dd
                                      • Instruction Fuzzy Hash: 992113B6900709DFCB10CF9AD884ADEFBB5FB48318F10852EE519A7200C775A544CFA4
                                      Function 062C4C70 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNELBASE ref: 062C4CD7
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: 349e3ce865567b3603c580dc8ab821f420cb8d3d786c27d74f3e499c12e2ce8c
                                      • Instruction ID: 1251113aedbf9223758b252d553d0f70490b9d4d0c5b087a727669bfcc007b5b
                                      • Opcode Fuzzy Hash: 349e3ce865567b3603c580dc8ab821f420cb8d3d786c27d74f3e499c12e2ce8c
                                      • Instruction Fuzzy Hash: D91112B1C0025A9BCB10DF9AC544BDEFBF4AB48320F10812AD818A7250D378A944CFA5
                                      Function 062CAB18 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 062CAB86
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: cd9920b15f9273d0675e5648958a985d041646b76124f9e4b4c9f48f25ec1e77
                                      • Instruction ID: a58ee73b1bf7a8ff1d1ce50c13847f01cd48713fc481e718cf70c6c1f2849ed3
                                      • Opcode Fuzzy Hash: cd9920b15f9273d0675e5648958a985d041646b76124f9e4b4c9f48f25ec1e77
                                      • Instruction Fuzzy Hash: 4211F0B5D003498FDB10CFAAC448ADEFBF5EF49320F10856AD8A9A7210D375A545CFA5
                                      Function 062CC698 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,062CC675), ref: 062CC6FF
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: 11afe1f8c1a66ba2e98f2f1d32bdc0135b77941e2c88f522cc1c69c33e77519e
                                      • Instruction ID: 16699ec7ea94fe7f1c8ffdc9b937357857828e6ea0c4a85205c2617585899f6e
                                      • Opcode Fuzzy Hash: 11afe1f8c1a66ba2e98f2f1d32bdc0135b77941e2c88f522cc1c69c33e77519e
                                      • Instruction Fuzzy Hash: 211136B1900249CFDB10DFAAC485BDEFFF8EB49324F20845AD599A7210C375A544CFA5
                                      Function 062CAB20 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 062CAB86
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 1ab572573f60901abf178436436bebfcfd9899929e808b678cc9fbf68301e95b
                                      • Instruction ID: d59bfcdbd54159fc89bc2022731c65b2dbed8dbfe1b1797dc909e398dacc66e2
                                      • Opcode Fuzzy Hash: 1ab572573f60901abf178436436bebfcfd9899929e808b678cc9fbf68301e95b
                                      • Instruction Fuzzy Hash: BE11DFB5D002498FDB10DF9AC448ADEFBF5AB89324F10852AD869A7210C375A545CFA5
                                      Function 062C9DF4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,062CC675), ref: 062CC6FF
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: 0805459e38abbb66fd0252534b0e6bf1ab9400b3c7f4fcb2aa9f3236f0f04d08
                                      • Instruction ID: a464a2c45cb162bc96025968f903ac3baf18ae217972e9c44cc3876d8f2a9bcd
                                      • Opcode Fuzzy Hash: 0805459e38abbb66fd0252534b0e6bf1ab9400b3c7f4fcb2aa9f3236f0f04d08
                                      • Instruction Fuzzy Hash: 451145B5900249CFCB50DF9AC488BDEFBF8EB48324F20841AE959A7310D375A944CFA5
                                      Function 02AFB920 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 02AFBED5
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: Initialize
                                      • String ID:
                                      • API String ID: 2538663250-0
                                      • Opcode ID: 3362e856230f3819c7e6cbcb3b653fc194b4d0cc339144c93a8f06099646bca1
                                      • Instruction ID: 5b50d9ad964b48fb536c135c70025cbd061fb6514fc526979c85dfd721f1ba81
                                      • Opcode Fuzzy Hash: 3362e856230f3819c7e6cbcb3b653fc194b4d0cc339144c93a8f06099646bca1
                                      • Instruction Fuzzy Hash: AD1133B09002488FCB20DF9AC488B9EFBF4EB48328F108459E658A7210D378A940CFA5
                                      Function 02AFBE78 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 02AFBED5
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122932639.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_2af0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: Initialize
                                      • String ID:
                                      • API String ID: 2538663250-0
                                      • Opcode ID: 56969d72e41af6db8ec55b8b73b04b329e86cd6056c51c9f9176e9ead4bc887c
                                      • Instruction ID: be39809ae808a4b1e4b977119f93651be375b8f0019bf9635b8cc5037f1bfb90
                                      • Opcode Fuzzy Hash: 56969d72e41af6db8ec55b8b73b04b329e86cd6056c51c9f9176e9ead4bc887c
                                      • Instruction Fuzzy Hash: 3D1115B59002498FCB20DF9AC585BDFFFF4EB48324F108459E658A7210D779A544CFA5
                                      Function 0674A840 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4132766926.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6740000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: DispatchMessage
                                      • String ID:
                                      • API String ID: 2061451462-0
                                      • Opcode ID: b867e5b69a19d32f0f4483629b39b5061e2249e6918f46f9a2791a58d94d29d3
                                      • Instruction ID: bea06bb5ec823c159e07536fade452e6527a5e78a39f860e731976979649990d
                                      • Opcode Fuzzy Hash: b867e5b69a19d32f0f4483629b39b5061e2249e6918f46f9a2791a58d94d29d3
                                      • Instruction Fuzzy Hash: FB1100B1D00248CFCB10DF9AD448BDEFBF8EB48320F10842AE458A3250D378A544CFA5
                                      Function 062CC72C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,062CC675), ref: 062CC6FF
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131527291.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_62c0000_InstallUtil.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: a0139e92098ec2aa98f4b5734f2bc0796d8a8699a0f870fafa47b08021c701ce
                                      • Instruction ID: 1be1757495e98de43184803513b234bc16fed3b1baa346358a97cf3080452291
                                      • Opcode Fuzzy Hash: a0139e92098ec2aa98f4b5734f2bc0796d8a8699a0f870fafa47b08021c701ce
                                      • Instruction Fuzzy Hash: BFF0F0B2C143808EDB508B99C8593DABFF0EB51328F24818EC49E9B261D3799189CB91
                                      Function 06285FC8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PH^q
                                      • API String ID: 0-2549759414
                                      • Opcode ID: 5fa1c5bccd23f8775d361f9e4ca2419587a04c2395285f7a605291570e3db913
                                      • Instruction ID: 315dd1c5054a01d287bdd6c9b3f251e538225f735c009a387241b49c2041dcc8
                                      • Opcode Fuzzy Hash: 5fa1c5bccd23f8775d361f9e4ca2419587a04c2395285f7a605291570e3db913
                                      • Instruction Fuzzy Hash: 9631E231B142029FDB55AB74D95466F7AE3AFC5300F108828D806DB395EF36DC46CB95
                                      Function 06288841 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \Ocq
                                      • API String ID: 0-2995510325
                                      • Opcode ID: a49ab3780eb2a963d9e1881066f586d7dd812417ca6a2ca4a84a617a41c33378
                                      • Instruction ID: 71d3f021c2564acb81bbba9defd796ff904391eb5996c0521d6bb814bac8c349
                                      • Opcode Fuzzy Hash: a49ab3780eb2a963d9e1881066f586d7dd812417ca6a2ca4a84a617a41c33378
                                      • Instruction Fuzzy Hash: B3F0B730E21129EFDB14EF94E9597AEBBB2BF88740F604519E502A7294CB741D41CB80
                                      Function 06286140 Relevance: 1.0, Instructions: 1005COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bd787536be2744237ddd4fb99e987d72460999a05ab5f87c49674be734b26b2b
                                      • Instruction ID: 41292e9ca84314e3d6fdc48171c9ff4ddef2ca2585d137055ef0af1d8689a19f
                                      • Opcode Fuzzy Hash: bd787536be2744237ddd4fb99e987d72460999a05ab5f87c49674be734b26b2b
                                      • Instruction Fuzzy Hash: CF924634E11205CFDB64EB68C988A9DB7F2FB45314F5484A9D849AB3A1DB35EC85CF80
                                      Function 06280040 Relevance: .4, Instructions: 406COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cf4f7faac42599edb9ef4b5926d36543132e86ccf78390d5a6b01cf8461d363e
                                      • Instruction ID: 636404f05b8531c0e37b73b85d0297ca849655930451214ffda771358bb885f4
                                      • Opcode Fuzzy Hash: cf4f7faac42599edb9ef4b5926d36543132e86ccf78390d5a6b01cf8461d363e
                                      • Instruction Fuzzy Hash: 6EE1B035F112059FDB54EF68D984AAEB7B2EF88310F108465E806E73A4DB35EC46CB91
                                      Function 06280007 Relevance: .3, Instructions: 261COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b49a0c59dda89c10cb9554c5b4161a7fce237eb1367e28d7b6250e063234c482
                                      • Instruction ID: 6560aa80da8a1481f3ded8861f2c5d4a9121ed41cb8b7f834cbaaf6884c6ab5b
                                      • Opcode Fuzzy Hash: b49a0c59dda89c10cb9554c5b4161a7fce237eb1367e28d7b6250e063234c482
                                      • Instruction Fuzzy Hash: 27A1CD35A112059FCB55EF64D984AADBBF2EF88310F148069E806E73A5DB74EC46CB90
                                      Function 06289438 Relevance: .2, Instructions: 247COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38a7e4e349b0813bc22e68885f929699411aa6cf8de587732ee71518dd409277
                                      • Instruction ID: 9f3c406f080bf49c3e93e680ac652fe34ac10fb07e838bc8a28ce6abf635dae1
                                      • Opcode Fuzzy Hash: 38a7e4e349b0813bc22e68885f929699411aa6cf8de587732ee71518dd409277
                                      • Instruction Fuzzy Hash: 2C81D331E262139FDF60AB6CD880779BB61EB81315F158466EC69DB2C2C235D8D0CBD1
                                      Function 06289FA0 Relevance: .2, Instructions: 229COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6c3932ed80c33aa7df21feabe40917f8a77f56bcafb7700f99876a3e8ea2c78f
                                      • Instruction ID: 4838354af237b783670ea3344bb008e714d7d7921973bfc965965451cd8cf20c
                                      • Opcode Fuzzy Hash: 6c3932ed80c33aa7df21feabe40917f8a77f56bcafb7700f99876a3e8ea2c78f
                                      • Instruction Fuzzy Hash: 4761C271F100124FCB14AA7ECC8466FAADBAFD4624B154436E80EDB360DEA6DD02C7D2
                                      Function 06287C8A Relevance: .2, Instructions: 221COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67a7be1a3424bb4bed45475c419a716695ddd0e95168eaa880bf208a8090d0d2
                                      • Instruction ID: d062eb062bfb364c8f1659151706de4fa16c1b0c095f55eff3d35e34639af4ba
                                      • Opcode Fuzzy Hash: 67a7be1a3424bb4bed45475c419a716695ddd0e95168eaa880bf208a8090d0d2
                                      • Instruction Fuzzy Hash: F9814031B112069FDB54EB65D89476EB7F2AF89304F208529D80ADB394EB71EC42CB91
                                      Function 06287FA8 Relevance: .2, Instructions: 220COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 17ae4864a8bc4d20193ecb8e63570346f01448bc3ac81d96209649560c053b6f
                                      • Instruction ID: 6c05773d8dca7044325bf8e7158284e8905346e19f9d7d90fba7c67ccfe0e0f7
                                      • Opcode Fuzzy Hash: 17ae4864a8bc4d20193ecb8e63570346f01448bc3ac81d96209649560c053b6f
                                      • Instruction Fuzzy Hash: 28915F30E1061A8FDF60DF68C890B9DB7B1FF89300F208599D549BB295DB74AA85CF91
                                      Function 06280558 Relevance: .2, Instructions: 215COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d7edb5f45c5b972a8c1bae99291affe387583d1976066be7efdf415f5880d07c
                                      • Instruction ID: 3966bcd773e58c2def5a7ced85e7d7ceb87c2a0fb5589a63a2bc21a81f95c9ac
                                      • Opcode Fuzzy Hash: d7edb5f45c5b972a8c1bae99291affe387583d1976066be7efdf415f5880d07c
                                      • Instruction Fuzzy Hash: C371AC71A112058FDB44DF69D984B9DBBF6FF88310F14C1A9E909AB395EB70D844CB90
                                      Function 06287FC0 Relevance: .2, Instructions: 210COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67f9e67c870c1e1c102e228e9b3d5f987c05a8e6ea07148c31f08799e126ba79
                                      • Instruction ID: 218f04be4ff7ce6213a8f991f126c5c814aec9cec2a1fe446f593b86bb617edc
                                      • Opcode Fuzzy Hash: 67f9e67c870c1e1c102e228e9b3d5f987c05a8e6ea07148c31f08799e126ba79
                                      • Instruction Fuzzy Hash: CA913C30E1061A8FDF60DF68C980B9DB7B1FF89300F208595D549BB295DB74AA85CF51
                                      Function 01150588 Relevance: .2, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3a9c792df044e80888c4c5c5bcee52297309fbff8d5434296d8785ce8359d653
                                      • Instruction ID: d644304982638ffaad6af9ac5bf492baa23fa8375256284d0be761f6715ad2a2
                                      • Opcode Fuzzy Hash: 3a9c792df044e80888c4c5c5bcee52297309fbff8d5434296d8785ce8359d653
                                      • Instruction Fuzzy Hash: 91718C31D00709DFCB14DFA9C884ADEFBB5FF49310F20896AE869A7211E734A945CB51
                                      Function 06289208 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3146706d42034f8f2ba3f73cab977a21635cab458a427d46843324def39e9628
                                      • Instruction ID: 8efbef2785f1e73bae7b589bebba34ea2a068ff40e2fc77a57323e712af21020
                                      • Opcode Fuzzy Hash: 3146706d42034f8f2ba3f73cab977a21635cab458a427d46843324def39e9628
                                      • Instruction Fuzzy Hash: 81418071E1020A9FDB70DE9DDC80ABFF7B1EB85310F104929D51AD7694D334A985CB90
                                      Function 0628A5E8 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1ff5667c024321847d2048d04a6e14f75354a2515c70549da6b497f996d3fdfc
                                      • Instruction ID: 05ca6d58cd7b6d6719a54a184ebf87b112d5b9d90538f306e2caa0c50ddffa22
                                      • Opcode Fuzzy Hash: 1ff5667c024321847d2048d04a6e14f75354a2515c70549da6b497f996d3fdfc
                                      • Instruction Fuzzy Hash: DB41B0719163A99FCB01DF68CC506DEBFB4EF0A310F1580A7E444E7292D7389944CBA5
                                      Function 01153158 Relevance: .1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 06bd3f5f3dcc835c3c00539159b42e51f8f64d5dcf2845ae3ec738ce32a8878c
                                      • Instruction ID: 002ac294f571c0a74b9b7b73cecd7c6a1c49a915aea9751f2e91bf31ddddaecc
                                      • Opcode Fuzzy Hash: 06bd3f5f3dcc835c3c00539159b42e51f8f64d5dcf2845ae3ec738ce32a8878c
                                      • Instruction Fuzzy Hash: 47416D30D10709DBDB19DFA9C8846DEFBB1BF88340F14C669E8597B214EB70A981CB90
                                      Function 06285E79 Relevance: .1, Instructions: 101COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 98d85d24c390293ad2254be82bea916af17f68fbdb4d62194f7c2f9f83356829
                                      • Instruction ID: f4234eca11aafd697f2f3e49b92a884e05b5d3904d4138dd856fbc5994c5f803
                                      • Opcode Fuzzy Hash: 98d85d24c390293ad2254be82bea916af17f68fbdb4d62194f7c2f9f83356829
                                      • Instruction Fuzzy Hash: F2316D74E202069FCB55DF65D89869EB7B2BF99300F148519E80AF7790DB70A846CB50
                                      Function 011539AF Relevance: .1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 487a12cefdd50754f270a3b2081ca483e450118992a5838ca430a8bd436c6aed
                                      • Instruction ID: cbac807bc55ae93aafac4369df96004bd302a8a5fae2f072e3fffdbdc93d874d
                                      • Opcode Fuzzy Hash: 487a12cefdd50754f270a3b2081ca483e450118992a5838ca430a8bd436c6aed
                                      • Instruction Fuzzy Hash: A631C270E102059FCB51EF68D940AAEB7B1FF46310F108A29D416EB365EB35ED46CB91
                                      Function 011539C0 Relevance: .1, Instructions: 94COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4fe5e4796dee9737184af45be7f89a7feab5c7459c9c8427461e6ade47025176
                                      • Instruction ID: f2b4e8b3d73115f5c487bec66de7f2100836e76188aafa9de596a30d80fd2daf
                                      • Opcode Fuzzy Hash: 4fe5e4796dee9737184af45be7f89a7feab5c7459c9c8427461e6ade47025176
                                      • Instruction Fuzzy Hash: 3531B030E102058FCF51EB68D880AAEB7B1FF85310F108A28D516E7365EB31EC46CB91
                                      Function 06285E88 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6e1bb660a56ca252eb2eab4ab173ba8c6c927bef84980d4355bc7b3fe12a11c9
                                      • Instruction ID: a54c5534c05b9b01c73b1a197787f37efac0ddc5fa0fbfbf62841091ec790f7b
                                      • Opcode Fuzzy Hash: 6e1bb660a56ca252eb2eab4ab173ba8c6c927bef84980d4355bc7b3fe12a11c9
                                      • Instruction Fuzzy Hash: F9312B34E202069FCB55DF69D89869EB7B2BF99300F148529EC06F7790DB70AC56CB50
                                      Function 01150809 Relevance: .1, Instructions: 80COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cde0630f05e805561dc5aea7ec2abff96f6bd7d6afe045ca3a63ba095720c935
                                      • Instruction ID: 9e69d97be89f2ac8a1bebbe697377445230873c65b3a49b0c6199e60be7498dc
                                      • Opcode Fuzzy Hash: cde0630f05e805561dc5aea7ec2abff96f6bd7d6afe045ca3a63ba095720c935
                                      • Instruction Fuzzy Hash: 453126B5900608CFDB10DF9AD544BDEFFF4EB88324F24841AE559A7210C375A944CFA5
                                      Function 06287892 Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9a97c1096c479a5dc7e0334d94f9d6f3396ed06b0d998b0c2c1f13c4e1ab4a1e
                                      • Instruction ID: 4d002ffbf118a48a38b7303d272a4fcc875a6cee993881ed5d17b3faae0c27c8
                                      • Opcode Fuzzy Hash: 9a97c1096c479a5dc7e0334d94f9d6f3396ed06b0d998b0c2c1f13c4e1ab4a1e
                                      • Instruction Fuzzy Hash: 34218B75E112169FDB40EF69DD80AAEBBF1AB48610F208025E909E7394E770D802CB90
                                      Function 01151D35 Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c2267cc94b4f239e7a929381691bab54c7a7189fa3272243eea7cbe74b6039e1
                                      • Instruction ID: ec656f39f33cdfb055fd85f8490955de768e2023fd4130ec3602d69dc68960a9
                                      • Opcode Fuzzy Hash: c2267cc94b4f239e7a929381691bab54c7a7189fa3272243eea7cbe74b6039e1
                                      • Instruction Fuzzy Hash: AA3112B0D11218DFDB14DF99C588BCEBFB4BB08354F20805AE864AB251C7B59945CFA5
                                      Function 062878A0 Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 542304c92b01b8d15229925c5f3f6566c6803a6421c747255d6b97addb60aef9
                                      • Instruction ID: 4d89c84792cf40503efa509878b0dc03f7a53a237df3bced721a140ef96370e2
                                      • Opcode Fuzzy Hash: 542304c92b01b8d15229925c5f3f6566c6803a6421c747255d6b97addb60aef9
                                      • Instruction Fuzzy Hash: EB216B75E212169FDB40EF69DC40AAEBBF5EB48610F208025E909E7394E670D902CB94
                                      Function 011534DC Relevance: .1, Instructions: 73COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81689f59e29dc42f016a90ff4560cdbfaaa697076db5ddd9295fbf451644ac52
                                      • Instruction ID: 43140638493fb2e3a96d6097e52959fa7f96fbcc61ea83a09ccbff3f5492afb4
                                      • Opcode Fuzzy Hash: 81689f59e29dc42f016a90ff4560cdbfaaa697076db5ddd9295fbf451644ac52
                                      • Instruction Fuzzy Hash: 1D31E3B0D11218EFDB14CF99C588BCEBFF5BB08314F24845AE815AB250C7759945CFA5
                                      Function 029CD2B8 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122571441.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_29cd000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4077a74e29972825778d84c84ab806727b5c4acbd6cb32215cc4ca6d92118cf
                                      • Instruction ID: 30da1a7555d0cd6e93ce89765186031f92d40aa2f686e5939279bd71e91da470
                                      • Opcode Fuzzy Hash: e4077a74e29972825778d84c84ab806727b5c4acbd6cb32215cc4ca6d92118cf
                                      • Instruction Fuzzy Hash: 8A2105B1504244DFDB05DF14DAC4B2ABBA9FB88328F34C57ED8494B295C33AD446CAB2
                                      Function 029CD0F0 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122571441.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_29cd000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a87edfa332166eb5683624ee8e268d5653501848d64457257efc2112c5a5ba3e
                                      • Instruction ID: 2791b91e4d09dcb3ba05e3e347656429349a11bcd3eecd8b723ad7de323bca74
                                      • Opcode Fuzzy Hash: a87edfa332166eb5683624ee8e268d5653501848d64457257efc2112c5a5ba3e
                                      • Instruction Fuzzy Hash: F221AFB5604244DFDB09DF14D9C4B26BBA5EB88314F24C97DE84A4A396C336D446CB72
                                      Function 029CD468 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122571441.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_29cd000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9f8387070004e68bfe6c493446b2ed28629f39801c377fe1cdba89cc02bdf0e4
                                      • Instruction ID: ed29f9b3358323d3390663d7f2a1a502bd9470533d65311ee6a139ee2d0707e5
                                      • Opcode Fuzzy Hash: 9f8387070004e68bfe6c493446b2ed28629f39801c377fe1cdba89cc02bdf0e4
                                      • Instruction Fuzzy Hash: 2821C571504244EFDB04DF14D5C4B26BBA9EB84318F34C97DD90D4B29AC37AE446CA72
                                      Function 01151D4C Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b309b24be5c2a20f2be6242166bec3f5483e8e27608f8bdb0fbb113af8539851
                                      • Instruction ID: e27df0e300905d47e7c88868987cfbb92cb35a0d3b806270052f5a49bf499687
                                      • Opcode Fuzzy Hash: b309b24be5c2a20f2be6242166bec3f5483e8e27608f8bdb0fbb113af8539851
                                      • Instruction Fuzzy Hash: 0B31F2B0D10218EFDB24DF99C588B8EBFF4BB08354F10801AE825BB250C7B59945CFA1
                                      Function 0628AED0 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23ef4c8025b254ae92379ed21a2ec623616e6d8bb47da97702ffc0d53704335e
                                      • Instruction ID: 50d8c336d700f027a41a1248f5db193bd4373b8bc6f50225adf556ff9c7cd484
                                      • Opcode Fuzzy Hash: 23ef4c8025b254ae92379ed21a2ec623616e6d8bb47da97702ffc0d53704335e
                                      • Instruction Fuzzy Hash: AC217530B211159FDF44EB69E95469EB7B6EF84310F14847AE809E7384DB35EC42CB94
                                      Function 01150D7F Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9bd82ad522027f4b2aa60defbc10fbe638dbf87445f91ca877fad6e983311019
                                      • Instruction ID: 5a791a9fe7c22496c05ac73900c25967e31d2e703e18e3df44fe2b604fa8253a
                                      • Opcode Fuzzy Hash: 9bd82ad522027f4b2aa60defbc10fbe638dbf87445f91ca877fad6e983311019
                                      • Instruction Fuzzy Hash: FE11E535B052446FCB99DBBD9C144AEBBEECFC510072480ABE819C7262EE359D0187A1
                                      Function 06287668 Relevance: .1, Instructions: 65COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b2c690bc7cab7037b78947dd19250f5f3705288e2eb3474fd15458c3b3c837d9
                                      • Instruction ID: 8ec2e5f29cc7449976fc1af2867b5d8f09378d39334d2f53aeb4b4b04c5911e7
                                      • Opcode Fuzzy Hash: b2c690bc7cab7037b78947dd19250f5f3705288e2eb3474fd15458c3b3c837d9
                                      • Instruction Fuzzy Hash: A9212CB5D0125AAFCB10DF99D844ADEFFB4FB49310F20811AE918B7240C375A554CFA5
                                      Function 01150744 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ce3bf24969821efb18b5b79fdf27ba4f70412cb102c8873d8e7aa23c8acedacb
                                      • Instruction ID: c1089d73264c9dfac1fd11f2fde17acbe0ba1cddd7aee51dc2d5dbd920aee643
                                      • Opcode Fuzzy Hash: ce3bf24969821efb18b5b79fdf27ba4f70412cb102c8873d8e7aa23c8acedacb
                                      • Instruction Fuzzy Hash: BC2112B0D01348DFCB14CFAAD8886DEBBF4FB48310F60842AE458A3211C378A4048BA5
                                      Function 01150E0C Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de40fb30844bb88c6db4a288663859854328c603fb58e2b8d43e0098b36ff2f0
                                      • Instruction ID: 2e2f9796ca32e5dab5aa8a78dddecdb27eec317a4500d0844d7e4cc1926e3e4c
                                      • Opcode Fuzzy Hash: de40fb30844bb88c6db4a288663859854328c603fb58e2b8d43e0098b36ff2f0
                                      • Instruction Fuzzy Hash: 921104357053849FCB8A9B7C98144AE7FFA9FC620132444ABE945CB2A2DE359D0583A2
                                      Function 062879B0 Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f6bba61e25c4cea1f7993eeeccfcc8bf5e7adaa0393f5503a9c08e08322595ba
                                      • Instruction ID: 692e5a38ddb5774ba1d6abf9df93aa7819b897ca05a67afb3b1b23ebbacb46c7
                                      • Opcode Fuzzy Hash: f6bba61e25c4cea1f7993eeeccfcc8bf5e7adaa0393f5503a9c08e08322595ba
                                      • Instruction Fuzzy Hash: 0A11A532B201155FDF44A668DC14AAF77EAEBC9710F144535D80AE7384DE64DD02C792
                                      Function 06287BE7 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 07177200874a61754b8a3f242cbb9e3a0259874c7807c848f08dfeee3e419ccc
                                      • Instruction ID: aac9440c6ab3ec937ef27973bb00d13e306d4fc5270f25d4b20e5f495f85e4ec
                                      • Opcode Fuzzy Hash: 07177200874a61754b8a3f242cbb9e3a0259874c7807c848f08dfeee3e419ccc
                                      • Instruction Fuzzy Hash: 3701F131B291111FDB56A6BDA82076E67DACBCA610F24847AE40EC73D2DD65CC028396
                                      Function 0628E4C8 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 544a40c47279281e3d3ccca13d5512b47af79cfd1620a95e91de6b98909aa213
                                      • Instruction ID: 86cc2951ce64fdf6687df250976870f918ec001c9db68bd6e91899b927829b6c
                                      • Opcode Fuzzy Hash: 544a40c47279281e3d3ccca13d5512b47af79cfd1620a95e91de6b98909aa213
                                      • Instruction Fuzzy Hash: AB01DF31B112011FDB62AA78AC5476B67A5EB89710F108929F44ED7395EA28EC428384
                                      Function 029CD2B3 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122571441.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_29cd000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                      • Instruction ID: 1e7663a7c221cf9c725e67be2c3f0bb44d20b0a11fa1797032bbe5a63308bbe6
                                      • Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                      • Instruction Fuzzy Hash: 87119D76504284CFDB12CF14D5C4B1ABB61FB84328F28C6AED8494B656C33AD40ACBA2
                                      Function 029CD0EB Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122571441.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_29cd000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                      • Instruction ID: 5d87bfbbe46e964121d567bbaf32984feb7a903d865ae91d2bdbb2fe4aca32ae
                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                      • Instruction Fuzzy Hash: 6B118B75504280DFDB15CF14D9C4B15BBA2FB88318F24C6AED8494B796C33AD44ACB62
                                      Function 029CD463 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122571441.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_29cd000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                      • Instruction ID: c1ed420a4ec75e9bc5549aa7b32b87e5e05aa837d1087503f9bcfa5771910e03
                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                      • Instruction Fuzzy Hash: 0E118B76504280DFDB15CF24D5C4B15BBA1FB84318F28C6AED8494B69AC33AD44ACB62
                                      Function 06287670 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7420a75c21beb9993b893b21be260287097c3fd006362acf200f14e456a951e3
                                      • Instruction ID: 22821ab1a00b7d2bd46711cd3fc79199c921034f777fb9ab4f76e546b24c80e1
                                      • Opcode Fuzzy Hash: 7420a75c21beb9993b893b21be260287097c3fd006362acf200f14e456a951e3
                                      • Instruction Fuzzy Hash: CD11D3B1D01259EFCB00DF9AD884ACEFFB4FB48310F10812AE918A7240C374A544CFA5
                                      Function 062879A2 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 54fc99e556864e0cb3e7378fc26c244c2c619251626573efeec36704320091b7
                                      • Instruction ID: 0c5315a6b0467139ede6f83135b1ae77e81aec9269ffd469a50cbf030bb8280d
                                      • Opcode Fuzzy Hash: 54fc99e556864e0cb3e7378fc26c244c2c619251626573efeec36704320091b7
                                      • Instruction Fuzzy Hash: 3601A236F210166FEB95A568DC10BEF76AFDBC8610F104536D90AE7384EE64DD0287E2
                                      Function 06287BF8 Relevance: .1, Instructions: 51COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c1080ea98a005e7b7e6728bb7fb5bd73273a94493b2ae986a4f09d4c0f219600
                                      • Instruction ID: 6605e249ddf3b2d20f2bb33f2aa7e447d0b1023fef8c0445b44d9c78235a4eb0
                                      • Opcode Fuzzy Hash: c1080ea98a005e7b7e6728bb7fb5bd73273a94493b2ae986a4f09d4c0f219600
                                      • Instruction Fuzzy Hash: 53018131B200111FDBA5B66EA85472FA2DBDBC9710F248439E50EC73D5DE66DC428395
                                      Function 011530C0 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aae8bd6e3487366929a901c855e45bd7d59519153934c1d0a856252f19812f91
                                      • Instruction ID: f5fa95411992265f7e8b7921c6bfc0552dc36c5459c03b8f4f9c1ffe5ed8730d
                                      • Opcode Fuzzy Hash: aae8bd6e3487366929a901c855e45bd7d59519153934c1d0a856252f19812f91
                                      • Instruction Fuzzy Hash: 0E11F5B5900248CFDB20DF9AD585BDEBBF4EB48320F10841AD969A7350C375A945CFA5
                                      Function 0628E4D8 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6416f7c5e369ff1cb50d45d5813a3e464e07f86c22c93a135a5e3bf8fbaccc42
                                      • Instruction ID: 141d91070318c5a3ecd54340df082de56f989d01ea29d270a0d54fe0ddd712b0
                                      • Opcode Fuzzy Hash: 6416f7c5e369ff1cb50d45d5813a3e464e07f86c22c93a135a5e3bf8fbaccc42
                                      • Instruction Fuzzy Hash: 83018131B101115FDB65FA6DE85072A73D6EB89714F108839E50EC7394EE25EC428785
                                      Function 011530C8 Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e634a6e6721039a177f2011337bbabc54f8e10107d3488a759d51af709b0194
                                      • Instruction ID: 5bf2ba032b288d68e6a562add07f931e1fdc1e6ecabddb3a9512d695f703278a
                                      • Opcode Fuzzy Hash: 2e634a6e6721039a177f2011337bbabc54f8e10107d3488a759d51af709b0194
                                      • Instruction Fuzzy Hash: 3A11D3B5900248CFDB60DF9AD585BDEFBF4EB48320F10841AD969A7250C375A944CFA5
                                      Function 01150579 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 14f528ce977cf187b77b4c9f31d4cf2758f51feacad58791079c564b06fafd24
                                      • Instruction ID: 4f082790d4bfc1b0ea4f533607072991b61b9ad674382588ac57ccb99f7b564c
                                      • Opcode Fuzzy Hash: 14f528ce977cf187b77b4c9f31d4cf2758f51feacad58791079c564b06fafd24
                                      • Instruction Fuzzy Hash: 9EF0B431A062589FCB16CFEDD9C48DEFF76FB49310B15096BF615D2212C33199158761
                                      Function 01153BD0 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 79607f06e8f0909681fe5fc9cf0fab5649435c986a235563e202c09ae1464815
                                      • Instruction ID: f43a6c333cb84d042ac291f8ba464a7da48c13a3b69fc4666cdcb28f4a424289
                                      • Opcode Fuzzy Hash: 79607f06e8f0909681fe5fc9cf0fab5649435c986a235563e202c09ae1464815
                                      • Instruction Fuzzy Hash: D8F04FB4E4431AEFD748CF69C881AAEBFF9BF48300F008869D924D7242D77485418BE1
                                      Function 01153BE0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 01aa057138be49f4581f2698c56333dcd2fc6be9769f648ef1d4490384d03d11
                                      • Instruction ID: 9d95985698161ecd43f79554dc76d46606067dbef50a7d31e5f44d185640d42e
                                      • Opcode Fuzzy Hash: 01aa057138be49f4581f2698c56333dcd2fc6be9769f648ef1d4490384d03d11
                                      • Instruction Fuzzy Hash: F2F03AB0D0030ADFDB48DFAAC845AAEBBF4FF08300F0045AAD928E7201D77096008B90
                                      Function 01153B79 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16f19779ee63af9f8fd6647a6ce5bee193cef501fe5e1c79a77cac4762c386a7
                                      • Instruction ID: 5fe88ce4ac96391570eb210716016ef534f1f9c231de4ca5f8d43cf776d892de
                                      • Opcode Fuzzy Hash: 16f19779ee63af9f8fd6647a6ce5bee193cef501fe5e1c79a77cac4762c386a7
                                      • Instruction Fuzzy Hash: 45F0A974E4820AEFCB44EFB8C804A9EBBF6FF08200F1185A9D824E7211E77085048B91
                                      Function 01153C6F Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9501221ce2c6baae1e2882c68a1f3bd7959f2eb3a65de7058fb2b5ba7c7f59e7
                                      • Instruction ID: 1223603693f2e5c8bd15f6772f64efe6ca59532c7e01e685901372d144ac861b
                                      • Opcode Fuzzy Hash: 9501221ce2c6baae1e2882c68a1f3bd7959f2eb3a65de7058fb2b5ba7c7f59e7
                                      • Instruction Fuzzy Hash: B9E08C32258258AFC742DBA0D840C977BA9BB56280705C4A3E494CF162E722E56DC792
                                      Function 01153B88 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4122247307.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1150000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69388587e0e1ed8f7ce24e94be93fc706442d2911c641549a449346cf7e2ca97
                                      • Instruction ID: 4e857d18e0f8a57580ac6d1faa7d896e261d2f9fa0ab0ee0701a3836b9e00003
                                      • Opcode Fuzzy Hash: 69388587e0e1ed8f7ce24e94be93fc706442d2911c641549a449346cf7e2ca97
                                      • Instruction Fuzzy Hash: 7AE012B0D0020ADFCB84EFA9C948A5EBBF0BB08300F1184A9C428E7211EB7086048F81

                                      Non-executed Functions

                                      Function 0628B858 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                      • API String ID: 0-2222239885
                                      • Opcode ID: 9e88ee29badd3714c50707d8ad14ffb0e1a73a68031f3db6b8d4ebbd4a24ce7f
                                      • Instruction ID: e3a0e5bd09d2175afb2e296dd011ea2653547ed83dd41995d6d221449bf81386
                                      • Opcode Fuzzy Hash: 9e88ee29badd3714c50707d8ad14ffb0e1a73a68031f3db6b8d4ebbd4a24ce7f
                                      • Instruction Fuzzy Hash: 5A124E30E112198FDB54EF65C954A9DB7F2BF88301F2085A9D509AB3A5DB309D86CF81
                                      Function 0628EB00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                      • API String ID: 0-3823777903
                                      • Opcode ID: 742af6dc41cb1ac1b0fa11f20e09b8fac9836cf7d025d2c7a05c63676ebda6b6
                                      • Instruction ID: 287dcdfb858ba47cc0461e28f26583834bddd4e66620f7ce5b0800eae263b116
                                      • Opcode Fuzzy Hash: 742af6dc41cb1ac1b0fa11f20e09b8fac9836cf7d025d2c7a05c63676ebda6b6
                                      • Instruction Fuzzy Hash: 3D918E30E2120ADFEB68EF64DD44B6EBBB2BF84300F118429D8459B3D5DB759945CB90
                                      Function 0628B258 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                      • API String ID: 0-390881366
                                      • Opcode ID: 8b79f5a9c681976c4e44f651faa7eb518e67536b9ca49bd3663f0f66178979a7
                                      • Instruction ID: 8627b19668a2547d7bbab97ac917803cab19125160c123e0c61693d4cf34f731
                                      • Opcode Fuzzy Hash: 8b79f5a9c681976c4e44f651faa7eb518e67536b9ca49bd3663f0f66178979a7
                                      • Instruction Fuzzy Hash: BBF17130A11209DFDB58EFA4D994A6EB7F3BF84301F248569D8059B3A8DB75EC46CB40
                                      Function 0628C590 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q$$^q$$^q
                                      • API String ID: 0-2125118731
                                      • Opcode ID: 7e43510e5317a4366eb3e5d19b9e0c68be80a5109768fab2fdc12b18dee94310
                                      • Instruction ID: d95c4bcfffdcc65fdaca4f466431a883ef84c397234bd30e5c5ba19cda7887ba
                                      • Opcode Fuzzy Hash: 7e43510e5317a4366eb3e5d19b9e0c68be80a5109768fab2fdc12b18dee94310
                                      • Instruction Fuzzy Hash: E2B15C30B112098FDB54EB68D9806AEB7B2EF84314F248869D4069B395DB75DC86CB90
                                      Function 0628C9A8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LR^q$LR^q$$^q$$^q
                                      • API String ID: 0-2454687669
                                      • Opcode ID: b32c0e2c3a630598567af164bdeb606c7f88026a7c5488d046ded153b7640aac
                                      • Instruction ID: 289fd4eb45b4303a8a1c327d65502e4546eddc502fb0f15a84b8b5959666f88e
                                      • Opcode Fuzzy Hash: b32c0e2c3a630598567af164bdeb606c7f88026a7c5488d046ded153b7640aac
                                      • Instruction Fuzzy Hash: A251C530B112059FDB54EF38D950A6A77E6FF84304F1485A9E815DB3A5DB30EC45CBA1
                                      Function 0628EE88 Relevance: 5.2, Strings: 4, Instructions: 159COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.4131273481.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6280000_InstallUtil.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q$$^q$$^q
                                      • API String ID: 0-2125118731
                                      • Opcode ID: 68b564ae2cb1c82e4fb362a7e21edbe6b2c60ed7c1f8cefe6009a4a56e0414f8
                                      • Instruction ID: 04797a8f0a9cf725f726544da19b2b7284ae3b6e3da3bfa0687b9d0c66871684
                                      • Opcode Fuzzy Hash: 68b564ae2cb1c82e4fb362a7e21edbe6b2c60ed7c1f8cefe6009a4a56e0414f8
                                      • Instruction Fuzzy Hash: 0F518131E212059FDFA5EB64EA8066DB3B2EB88310F108529E805DB399DB35DC42CB91