Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZeaS4nUxg4.exe

Overview

General Information

Sample name:ZeaS4nUxg4.exe
renamed because original name is a hash value
Original sample name:7a9cf1b27f192c4e65b215b4a126fac4aa8d34397d020568ba4590a15502cf9c.exe
Analysis ID:1549219
MD5:d457d91b513ac2e3a4b539c28537da71
SHA1:9fd2aca60e95212de7ccc546dd82729b5d050f02
SHA256:7a9cf1b27f192c4e65b215b4a126fac4aa8d34397d020568ba4590a15502cf9c
Tags:exeuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ZeaS4nUxg4.exe (PID: 5276 cmdline: "C:\Users\user\Desktop\ZeaS4nUxg4.exe" MD5: D457D91B513AC2E3A4B539C28537DA71)
    • yavascript.exe (PID: 6048 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: D457D91B513AC2E3A4B539C28537DA71)
  • yavascript.exe (PID: 3752 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: D457D91B513AC2E3A4B539C28537DA71)
  • yavascript.exe (PID: 6612 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: D457D91B513AC2E3A4B539C28537DA71)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I7G983", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ZeaS4nUxg4.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    ZeaS4nUxg4.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      ZeaS4nUxg4.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        ZeaS4nUxg4.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        ZeaS4nUxg4.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\xenor\yavascript.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          C:\Users\user\AppData\Roaming\xenor\yavascript.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
            C:\Users\user\AppData\Roaming\xenor\yavascript.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              C:\Users\user\AppData\Roaming\xenor\yavascript.exeWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6aaf8:$a1: Remcos restarted by watchdog!
              • 0x6b070:$a3: %02i:%02i:%02i:%03i
              C:\Users\user\AppData\Roaming\xenor\yavascript.exeREMCOS_RAT_variantsunknownunknown
              • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64e04:$str_b2: Executing file:
              • 0x65c3c:$str_b3: GetDirectListeningPort
              • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x65780:$str_b7: \update.vbs
              • 0x64e2c:$str_b9: Downloaded file:
              • 0x64e18:$str_b10: Downloading file:
              • 0x64ebc:$str_b12: Failed to upload file:
              • 0x65c04:$str_b13: StartForward
              • 0x65c24:$str_b14: StopForward
              • 0x656d8:$str_b15: fso.DeleteFile "
              • 0x6566c:$str_b16: On Error Resume Next
              • 0x65708:$str_b17: fso.DeleteFolder "
              • 0x64eac:$str_b18: Uploaded file:
              • 0x64e6c:$str_b19: Unable to delete:
              • 0x656a0:$str_b20: while fso.FileExists("
              • 0x65349:$str_c0: [Firefox StoredLogins not found]
              Click to see the 1 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x146f8:$a1: Remcos restarted by watchdog!
                    • 0x14c70:$a3: %02i:%02i:%02i:%03i
                    00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 51 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      3.2.yavascript.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                        3.2.yavascript.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                          3.2.yavascript.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                            3.2.yavascript.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                            • 0x6b6f8:$a1: Remcos restarted by watchdog!
                            • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                            3.2.yavascript.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                            • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                            • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                            • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                            • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                            • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                            • 0x65a04:$str_b2: Executing file:
                            • 0x6683c:$str_b3: GetDirectListeningPort
                            • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                            • 0x66380:$str_b7: \update.vbs
                            • 0x65a2c:$str_b9: Downloaded file:
                            • 0x65a18:$str_b10: Downloading file:
                            • 0x65abc:$str_b12: Failed to upload file:
                            • 0x66804:$str_b13: StartForward
                            • 0x66824:$str_b14: StopForward
                            • 0x662d8:$str_b15: fso.DeleteFile "
                            • 0x6626c:$str_b16: On Error Resume Next
                            • 0x66308:$str_b17: fso.DeleteFolder "
                            • 0x65aac:$str_b18: Uploaded file:
                            • 0x65a6c:$str_b19: Unable to delete:
                            • 0x662a0:$str_b20: while fso.FileExists("
                            • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                            Click to see the 43 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ZeaS4nUxg4.exe, ProcessId: 5276, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-I7G983

                            Stealing of Sensitive Information

                            barindex
                            Sigma detected: Remcos
                            Source: Registry Key setAuthor: Joe Security: Data: Details: 1E 04 D2 DB 3F 0C FE F3 82 62 77 23 55 F6 79 B1 49 36 B8 E5 8D 32 CC 27 A6 CB 6E 6A 89 1A 19 B0 B4 53 8A 49 77 14 FC 00 27 A6 E3 34 C0 ED 34 E0 0A 9D 0A D1 26 0E C1 90 99 15 44 75 A2 34 05 C5 6E C4 62 5A AD 89 35 B2 F0 68 B4 0C E0 47 A0 30 FD 73 49 70 34 DF 76 DA 6B E1 47 5F 61 46 AA 13 DB 71 55 89 7B 9B 50 50 84 E0 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, ProcessId: 6048, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-I7G983\exepath

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-05T12:41:50.252846+010020229301A Network Trojan was detected52.149.20.212443192.168.2.549715TCP
                            2024-11-05T12:42:28.568048+010020229301A Network Trojan was detected52.149.20.212443192.168.2.549952TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-05T12:41:32.786272+010020365941Malware Command and Control Activity Detected192.168.2.549704198.23.227.21232583TCP
                            2024-11-05T12:41:34.348606+010020365941Malware Command and Control Activity Detected192.168.2.549705198.23.227.21232583TCP
                            2024-11-05T12:41:35.871460+010020365941Malware Command and Control Activity Detected192.168.2.549706198.23.227.21232583TCP
                            2024-11-05T12:41:37.405154+010020365941Malware Command and Control Activity Detected192.168.2.549707198.23.227.21232583TCP
                            2024-11-05T12:41:38.954722+010020365941Malware Command and Control Activity Detected192.168.2.549708198.23.227.21232583TCP
                            2024-11-05T12:41:40.488436+010020365941Malware Command and Control Activity Detected192.168.2.549709198.23.227.21232583TCP
                            2024-11-05T12:41:42.022557+010020365941Malware Command and Control Activity Detected192.168.2.549710198.23.227.21232583TCP
                            2024-11-05T12:41:43.637742+010020365941Malware Command and Control Activity Detected192.168.2.549711198.23.227.21232583TCP
                            2024-11-05T12:41:45.161127+010020365941Malware Command and Control Activity Detected192.168.2.549712198.23.227.21232583TCP
                            2024-11-05T12:41:46.754439+010020365941Malware Command and Control Activity Detected192.168.2.549713198.23.227.21232583TCP
                            2024-11-05T12:41:48.288565+010020365941Malware Command and Control Activity Detected192.168.2.549714198.23.227.21232583TCP
                            2024-11-05T12:41:49.818315+010020365941Malware Command and Control Activity Detected192.168.2.549717198.23.227.21232583TCP
                            2024-11-05T12:41:51.355450+010020365941Malware Command and Control Activity Detected192.168.2.549723198.23.227.21232583TCP
                            2024-11-05T12:41:52.893708+010020365941Malware Command and Control Activity Detected192.168.2.549735198.23.227.21232583TCP
                            2024-11-05T12:41:54.419605+010020365941Malware Command and Control Activity Detected192.168.2.549744198.23.227.21232583TCP
                            2024-11-05T12:41:55.951896+010020365941Malware Command and Control Activity Detected192.168.2.549752198.23.227.21232583TCP
                            2024-11-05T12:41:57.505259+010020365941Malware Command and Control Activity Detected192.168.2.549763198.23.227.21232583TCP
                            2024-11-05T12:41:59.021494+010020365941Malware Command and Control Activity Detected192.168.2.549772198.23.227.21232583TCP
                            2024-11-05T12:42:00.542402+010020365941Malware Command and Control Activity Detected192.168.2.549780198.23.227.21232583TCP
                            2024-11-05T12:42:02.067344+010020365941Malware Command and Control Activity Detected192.168.2.549790198.23.227.21232583TCP
                            2024-11-05T12:42:03.592241+010020365941Malware Command and Control Activity Detected192.168.2.549801198.23.227.21232583TCP
                            2024-11-05T12:42:05.115837+010020365941Malware Command and Control Activity Detected192.168.2.549809198.23.227.21232583TCP
                            2024-11-05T12:42:06.630577+010020365941Malware Command and Control Activity Detected192.168.2.549819198.23.227.21232583TCP
                            2024-11-05T12:42:08.164133+010020365941Malware Command and Control Activity Detected192.168.2.549829198.23.227.21232583TCP
                            2024-11-05T12:42:09.685071+010020365941Malware Command and Control Activity Detected192.168.2.549840198.23.227.21232583TCP
                            2024-11-05T12:42:11.205637+010020365941Malware Command and Control Activity Detected192.168.2.549847198.23.227.21232583TCP
                            2024-11-05T12:42:12.730956+010020365941Malware Command and Control Activity Detected192.168.2.549857198.23.227.21232583TCP
                            2024-11-05T12:42:14.250056+010020365941Malware Command and Control Activity Detected192.168.2.549867198.23.227.21232583TCP
                            2024-11-05T12:42:15.788526+010020365941Malware Command and Control Activity Detected192.168.2.549878198.23.227.21232583TCP
                            2024-11-05T12:42:17.337658+010020365941Malware Command and Control Activity Detected192.168.2.549884198.23.227.21232583TCP
                            2024-11-05T12:42:18.859526+010020365941Malware Command and Control Activity Detected192.168.2.549895198.23.227.21232583TCP
                            2024-11-05T12:42:20.396774+010020365941Malware Command and Control Activity Detected192.168.2.549906198.23.227.21232583TCP
                            2024-11-05T12:42:21.931070+010020365941Malware Command and Control Activity Detected192.168.2.549917198.23.227.21232583TCP
                            2024-11-05T12:42:23.417930+010020365941Malware Command and Control Activity Detected192.168.2.549923198.23.227.21232583TCP
                            2024-11-05T12:42:25.243343+010020365941Malware Command and Control Activity Detected192.168.2.549934198.23.227.21232583TCP
                            2024-11-05T12:42:26.670374+010020365941Malware Command and Control Activity Detected192.168.2.549945198.23.227.21232583TCP
                            2024-11-05T12:42:28.065270+010020365941Malware Command and Control Activity Detected192.168.2.549953198.23.227.21232583TCP
                            2024-11-05T12:42:29.438467+010020365941Malware Command and Control Activity Detected192.168.2.549963198.23.227.21232583TCP
                            2024-11-05T12:42:30.787439+010020365941Malware Command and Control Activity Detected192.168.2.549969198.23.227.21232583TCP
                            2024-11-05T12:42:32.101609+010020365941Malware Command and Control Activity Detected192.168.2.549979198.23.227.21232583TCP
                            2024-11-05T12:42:33.386309+010020365941Malware Command and Control Activity Detected192.168.2.549986198.23.227.21232583TCP
                            2024-11-05T12:42:34.670115+010020365941Malware Command and Control Activity Detected192.168.2.549994198.23.227.21232583TCP
                            2024-11-05T12:42:35.894146+010020365941Malware Command and Control Activity Detected192.168.2.550003198.23.227.21232583TCP
                            2024-11-05T12:42:37.115745+010020365941Malware Command and Control Activity Detected192.168.2.550009198.23.227.21232583TCP
                            2024-11-05T12:42:38.333431+010020365941Malware Command and Control Activity Detected192.168.2.550019198.23.227.21232583TCP
                            2024-11-05T12:42:39.520588+010020365941Malware Command and Control Activity Detected192.168.2.550022198.23.227.21232583TCP
                            2024-11-05T12:42:40.675526+010020365941Malware Command and Control Activity Detected192.168.2.550023198.23.227.21232583TCP
                            2024-11-05T12:42:41.793165+010020365941Malware Command and Control Activity Detected192.168.2.550024198.23.227.21232583TCP
                            2024-11-05T12:42:43.061373+010020365941Malware Command and Control Activity Detected192.168.2.550025198.23.227.21232583TCP
                            2024-11-05T12:42:44.158035+010020365941Malware Command and Control Activity Detected192.168.2.550026198.23.227.21232583TCP
                            2024-11-05T12:42:45.227579+010020365941Malware Command and Control Activity Detected192.168.2.550027198.23.227.21232583TCP
                            2024-11-05T12:42:46.990371+010020365941Malware Command and Control Activity Detected192.168.2.550028198.23.227.21232583TCP
                            2024-11-05T12:42:48.022010+010020365941Malware Command and Control Activity Detected192.168.2.550029198.23.227.21232583TCP
                            2024-11-05T12:42:49.026948+010020365941Malware Command and Control Activity Detected192.168.2.550030198.23.227.21232583TCP
                            2024-11-05T12:42:50.025217+010020365941Malware Command and Control Activity Detected192.168.2.550031198.23.227.21232583TCP
                            2024-11-05T12:42:51.039564+010020365941Malware Command and Control Activity Detected192.168.2.550032198.23.227.21232583TCP
                            2024-11-05T12:42:51.997806+010020365941Malware Command and Control Activity Detected192.168.2.550033198.23.227.21232583TCP
                            2024-11-05T12:42:52.960204+010020365941Malware Command and Control Activity Detected192.168.2.550034198.23.227.21232583TCP
                            2024-11-05T12:42:54.283478+010020365941Malware Command and Control Activity Detected192.168.2.550035198.23.227.21232583TCP
                            2024-11-05T12:42:55.199477+010020365941Malware Command and Control Activity Detected192.168.2.550036198.23.227.21232583TCP
                            2024-11-05T12:42:56.113075+010020365941Malware Command and Control Activity Detected192.168.2.550037198.23.227.21232583TCP
                            2024-11-05T12:42:57.012887+010020365941Malware Command and Control Activity Detected192.168.2.550038198.23.227.21232583TCP
                            2024-11-05T12:42:57.904941+010020365941Malware Command and Control Activity Detected192.168.2.550039198.23.227.21232583TCP
                            2024-11-05T12:42:58.861145+010020365941Malware Command and Control Activity Detected192.168.2.550040198.23.227.21232583TCP
                            2024-11-05T12:42:59.717714+010020365941Malware Command and Control Activity Detected192.168.2.550041198.23.227.21232583TCP
                            2024-11-05T12:43:00.565042+010020365941Malware Command and Control Activity Detected192.168.2.550042198.23.227.21232583TCP
                            2024-11-05T12:43:01.403604+010020365941Malware Command and Control Activity Detected192.168.2.550043198.23.227.21232583TCP
                            2024-11-05T12:43:02.257711+010020365941Malware Command and Control Activity Detected192.168.2.550044198.23.227.21232583TCP
                            2024-11-05T12:43:03.075655+010020365941Malware Command and Control Activity Detected192.168.2.550045198.23.227.21232583TCP
                            2024-11-05T12:43:03.891235+010020365941Malware Command and Control Activity Detected192.168.2.550046198.23.227.21232583TCP
                            2024-11-05T12:43:04.701258+010020365941Malware Command and Control Activity Detected192.168.2.550047198.23.227.21232583TCP
                            2024-11-05T12:43:05.483644+010020365941Malware Command and Control Activity Detected192.168.2.550048198.23.227.21232583TCP
                            2024-11-05T12:43:06.269304+010020365941Malware Command and Control Activity Detected192.168.2.550049198.23.227.21232583TCP
                            2024-11-05T12:43:07.057593+010020365941Malware Command and Control Activity Detected192.168.2.550050198.23.227.21232583TCP
                            2024-11-05T12:43:07.827672+010020365941Malware Command and Control Activity Detected192.168.2.550051198.23.227.21232583TCP
                            2024-11-05T12:43:08.573729+010020365941Malware Command and Control Activity Detected192.168.2.550052198.23.227.21232583TCP
                            2024-11-05T12:43:09.342583+010020365941Malware Command and Control Activity Detected192.168.2.550053198.23.227.21232583TCP
                            2024-11-05T12:43:10.074118+010020365941Malware Command and Control Activity Detected192.168.2.550054198.23.227.21232583TCP
                            2024-11-05T12:43:10.821832+010020365941Malware Command and Control Activity Detected192.168.2.550055198.23.227.21232583TCP
                            2024-11-05T12:43:11.570540+010020365941Malware Command and Control Activity Detected192.168.2.550056198.23.227.21232583TCP
                            2024-11-05T12:43:12.299859+010020365941Malware Command and Control Activity Detected192.168.2.550057198.23.227.21232583TCP
                            2024-11-05T12:43:13.016186+010020365941Malware Command and Control Activity Detected192.168.2.550058198.23.227.21232583TCP
                            2024-11-05T12:43:13.715272+010020365941Malware Command and Control Activity Detected192.168.2.550059198.23.227.21232583TCP
                            2024-11-05T12:43:14.415597+010020365941Malware Command and Control Activity Detected192.168.2.550060198.23.227.21232583TCP
                            2024-11-05T12:43:15.107494+010020365941Malware Command and Control Activity Detected192.168.2.550061198.23.227.21232583TCP
                            2024-11-05T12:43:15.795594+010020365941Malware Command and Control Activity Detected192.168.2.550062198.23.227.21232583TCP
                            2024-11-05T12:43:16.485603+010020365941Malware Command and Control Activity Detected192.168.2.550063198.23.227.21232583TCP
                            2024-11-05T12:43:17.170749+010020365941Malware Command and Control Activity Detected192.168.2.550064198.23.227.21232583TCP
                            2024-11-05T12:43:17.839578+010020365941Malware Command and Control Activity Detected192.168.2.550065198.23.227.21232583TCP
                            2024-11-05T12:43:18.514770+010020365941Malware Command and Control Activity Detected192.168.2.550066198.23.227.21232583TCP
                            2024-11-05T12:43:19.183445+010020365941Malware Command and Control Activity Detected192.168.2.550067198.23.227.21232583TCP
                            2024-11-05T12:43:19.850806+010020365941Malware Command and Control Activity Detected192.168.2.550068198.23.227.21232583TCP
                            2024-11-05T12:43:20.497179+010020365941Malware Command and Control Activity Detected192.168.2.550069198.23.227.21232583TCP
                            2024-11-05T12:43:21.137321+010020365941Malware Command and Control Activity Detected192.168.2.550070198.23.227.21232583TCP
                            2024-11-05T12:43:21.787547+010020365941Malware Command and Control Activity Detected192.168.2.550071198.23.227.21232583TCP
                            2024-11-05T12:43:22.444780+010020365941Malware Command and Control Activity Detected192.168.2.550072198.23.227.21232583TCP
                            2024-11-05T12:43:23.081621+010020365941Malware Command and Control Activity Detected192.168.2.550073198.23.227.21232583TCP
                            2024-11-05T12:43:23.715645+010020365941Malware Command and Control Activity Detected192.168.2.550074198.23.227.21232583TCP
                            2024-11-05T12:43:24.341832+010020365941Malware Command and Control Activity Detected192.168.2.550075198.23.227.21232583TCP
                            2024-11-05T12:43:25.008916+010020365941Malware Command and Control Activity Detected192.168.2.550076198.23.227.21232583TCP
                            2024-11-05T12:43:25.628816+010020365941Malware Command and Control Activity Detected192.168.2.550077198.23.227.21232583TCP
                            2024-11-05T12:43:26.296307+010020365941Malware Command and Control Activity Detected192.168.2.550078198.23.227.21232583TCP
                            2024-11-05T12:43:26.940948+010020365941Malware Command and Control Activity Detected192.168.2.550079198.23.227.21232583TCP
                            2024-11-05T12:43:27.615619+010020365941Malware Command and Control Activity Detected192.168.2.550080198.23.227.21232583TCP
                            2024-11-05T12:43:28.230995+010020365941Malware Command and Control Activity Detected192.168.2.550081198.23.227.21232583TCP
                            2024-11-05T12:43:28.831837+010020365941Malware Command and Control Activity Detected192.168.2.550082198.23.227.21232583TCP
                            2024-11-05T12:43:29.443600+010020365941Malware Command and Control Activity Detected192.168.2.550083198.23.227.21232583TCP
                            2024-11-05T12:43:30.045607+010020365941Malware Command and Control Activity Detected192.168.2.550084198.23.227.21232583TCP
                            2024-11-05T12:43:30.642841+010020365941Malware Command and Control Activity Detected192.168.2.550085198.23.227.21232583TCP
                            2024-11-05T12:43:31.229886+010020365941Malware Command and Control Activity Detected192.168.2.550086198.23.227.21232583TCP
                            2024-11-05T12:43:31.823716+010020365941Malware Command and Control Activity Detected192.168.2.550087198.23.227.21232583TCP
                            2024-11-05T12:43:32.417618+010020365941Malware Command and Control Activity Detected192.168.2.550088198.23.227.21232583TCP
                            2024-11-05T12:43:33.013567+010020365941Malware Command and Control Activity Detected192.168.2.550089198.23.227.21232583TCP
                            2024-11-05T12:43:33.615634+010020365941Malware Command and Control Activity Detected192.168.2.550090198.23.227.21232583TCP
                            2024-11-05T12:43:34.202575+010020365941Malware Command and Control Activity Detected192.168.2.550091198.23.227.21232583TCP
                            2024-11-05T12:43:34.781374+010020365941Malware Command and Control Activity Detected192.168.2.550092198.23.227.21232583TCP
                            2024-11-05T12:43:35.543698+010020365941Malware Command and Control Activity Detected192.168.2.550093198.23.227.21232583TCP
                            2024-11-05T12:43:36.135688+010020365941Malware Command and Control Activity Detected192.168.2.550094198.23.227.21232583TCP
                            2024-11-05T12:43:36.717696+010020365941Malware Command and Control Activity Detected192.168.2.550095198.23.227.21232583TCP
                            2024-11-05T12:43:37.285549+010020365941Malware Command and Control Activity Detected192.168.2.550096198.23.227.21232583TCP
                            2024-11-05T12:43:37.858168+010020365941Malware Command and Control Activity Detected192.168.2.550097198.23.227.21232583TCP
                            2024-11-05T12:43:38.447660+010020365941Malware Command and Control Activity Detected192.168.2.550098198.23.227.21232583TCP
                            2024-11-05T12:43:39.038730+010020365941Malware Command and Control Activity Detected192.168.2.550099198.23.227.21232583TCP
                            2024-11-05T12:43:39.601714+010020365941Malware Command and Control Activity Detected192.168.2.550100198.23.227.21232583TCP
                            2024-11-05T12:43:40.192572+010020365941Malware Command and Control Activity Detected192.168.2.550101198.23.227.21232583TCP
                            2024-11-05T12:43:40.786674+010020365941Malware Command and Control Activity Detected192.168.2.550102198.23.227.21232583TCP
                            2024-11-05T12:43:41.357265+010020365941Malware Command and Control Activity Detected192.168.2.550103198.23.227.21232583TCP
                            2024-11-05T12:43:41.917098+010020365941Malware Command and Control Activity Detected192.168.2.550104198.23.227.21232583TCP
                            2024-11-05T12:43:42.491656+010020365941Malware Command and Control Activity Detected192.168.2.550105198.23.227.21232583TCP
                            2024-11-05T12:43:43.046211+010020365941Malware Command and Control Activity Detected192.168.2.550106198.23.227.21232583TCP
                            2024-11-05T12:43:43.607761+010020365941Malware Command and Control Activity Detected192.168.2.550107198.23.227.21232583TCP
                            2024-11-05T12:43:44.183654+010020365941Malware Command and Control Activity Detected192.168.2.550108198.23.227.21232583TCP
                            2024-11-05T12:43:44.755716+010020365941Malware Command and Control Activity Detected192.168.2.550109198.23.227.21232583TCP
                            2024-11-05T12:43:45.335339+010020365941Malware Command and Control Activity Detected192.168.2.550110198.23.227.21232583TCP
                            2024-11-05T12:43:45.886169+010020365941Malware Command and Control Activity Detected192.168.2.550111198.23.227.21232583TCP
                            2024-11-05T12:43:46.458169+010020365941Malware Command and Control Activity Detected192.168.2.550112198.23.227.21232583TCP
                            2024-11-05T12:43:47.034579+010020365941Malware Command and Control Activity Detected192.168.2.550113198.23.227.21232583TCP
                            2024-11-05T12:43:47.615436+010020365941Malware Command and Control Activity Detected192.168.2.550114198.23.227.21232583TCP
                            2024-11-05T12:43:48.224271+010020365941Malware Command and Control Activity Detected192.168.2.550115198.23.227.21232583TCP
                            2024-11-05T12:43:48.803256+010020365941Malware Command and Control Activity Detected192.168.2.550116198.23.227.21232583TCP
                            2024-11-05T12:43:49.348377+010020365941Malware Command and Control Activity Detected192.168.2.550117198.23.227.21232583TCP
                            2024-11-05T12:43:49.888140+010020365941Malware Command and Control Activity Detected192.168.2.550118198.23.227.21232583TCP
                            2024-11-05T12:43:50.435702+010020365941Malware Command and Control Activity Detected192.168.2.550119198.23.227.21232583TCP
                            2024-11-05T12:43:50.983710+010020365941Malware Command and Control Activity Detected192.168.2.550120198.23.227.21232583TCP
                            2024-11-05T12:43:51.555338+010020365941Malware Command and Control Activity Detected192.168.2.550121198.23.227.21232583TCP
                            2024-11-05T12:43:52.104880+010020365941Malware Command and Control Activity Detected192.168.2.550122198.23.227.21232583TCP
                            2024-11-05T12:43:52.653820+010020365941Malware Command and Control Activity Detected192.168.2.550123198.23.227.21232583TCP
                            2024-11-05T12:43:53.195337+010020365941Malware Command and Control Activity Detected192.168.2.550124198.23.227.21232583TCP
                            2024-11-05T12:43:53.732023+010020365941Malware Command and Control Activity Detected192.168.2.550125198.23.227.21232583TCP
                            2024-11-05T12:43:54.309705+010020365941Malware Command and Control Activity Detected192.168.2.550126198.23.227.21232583TCP
                            2024-11-05T12:43:54.857923+010020365941Malware Command and Control Activity Detected192.168.2.550127198.23.227.21232583TCP
                            2024-11-05T12:43:55.401816+010020365941Malware Command and Control Activity Detected192.168.2.550128198.23.227.21232583TCP
                            2024-11-05T12:43:55.935391+010020365941Malware Command and Control Activity Detected192.168.2.550129198.23.227.21232583TCP
                            2024-11-05T12:43:56.481705+010020365941Malware Command and Control Activity Detected192.168.2.550130198.23.227.21232583TCP
                            2024-11-05T12:43:57.056275+010020365941Malware Command and Control Activity Detected192.168.2.550131198.23.227.21232583TCP
                            2024-11-05T12:43:57.595779+010020365941Malware Command and Control Activity Detected192.168.2.550132198.23.227.21232583TCP
                            2024-11-05T12:43:58.147233+010020365941Malware Command and Control Activity Detected192.168.2.550133198.23.227.21232583TCP
                            2024-11-05T12:43:58.685798+010020365941Malware Command and Control Activity Detected192.168.2.550134198.23.227.21232583TCP
                            2024-11-05T12:43:59.222257+010020365941Malware Command and Control Activity Detected192.168.2.550135198.23.227.21232583TCP
                            2024-11-05T12:43:59.764331+010020365941Malware Command and Control Activity Detected192.168.2.550136198.23.227.21232583TCP
                            2024-11-05T12:44:00.323895+010020365941Malware Command and Control Activity Detected192.168.2.550137198.23.227.21232583TCP
                            2024-11-05T12:44:01.070565+010020365941Malware Command and Control Activity Detected192.168.2.550138198.23.227.21232583TCP
                            2024-11-05T12:44:01.616367+010020365941Malware Command and Control Activity Detected192.168.2.550139198.23.227.21232583TCP
                            2024-11-05T12:44:02.155728+010020365941Malware Command and Control Activity Detected192.168.2.550140198.23.227.21232583TCP
                            2024-11-05T12:44:02.683392+010020365941Malware Command and Control Activity Detected192.168.2.550141198.23.227.21232583TCP
                            2024-11-05T12:44:03.219797+010020365941Malware Command and Control Activity Detected192.168.2.550142198.23.227.21232583TCP
                            2024-11-05T12:44:03.759407+010020365941Malware Command and Control Activity Detected192.168.2.550143198.23.227.21232583TCP
                            2024-11-05T12:44:04.290620+010020365941Malware Command and Control Activity Detected192.168.2.550144198.23.227.21232583TCP
                            2024-11-05T12:44:04.834166+010020365941Malware Command and Control Activity Detected192.168.2.550145198.23.227.21232583TCP
                            2024-11-05T12:44:05.391700+010020365941Malware Command and Control Activity Detected192.168.2.550146198.23.227.21232583TCP
                            2024-11-05T12:44:05.947698+010020365941Malware Command and Control Activity Detected192.168.2.550147198.23.227.21232583TCP
                            2024-11-05T12:44:06.483583+010020365941Malware Command and Control Activity Detected192.168.2.550148198.23.227.21232583TCP
                            2024-11-05T12:44:07.012526+010020365941Malware Command and Control Activity Detected192.168.2.550149198.23.227.21232583TCP
                            2024-11-05T12:44:07.543666+010020365941Malware Command and Control Activity Detected192.168.2.550150198.23.227.21232583TCP
                            2024-11-05T12:44:08.250452+010020365941Malware Command and Control Activity Detected192.168.2.550151198.23.227.21232583TCP
                            2024-11-05T12:44:08.786119+010020365941Malware Command and Control Activity Detected192.168.2.550152198.23.227.21232583TCP
                            2024-11-05T12:44:09.708193+010020365941Malware Command and Control Activity Detected192.168.2.550153198.23.227.21232583TCP
                            2024-11-05T12:44:10.231127+010020365941Malware Command and Control Activity Detected192.168.2.550154198.23.227.21232583TCP
                            2024-11-05T12:44:10.763760+010020365941Malware Command and Control Activity Detected192.168.2.550155198.23.227.21232583TCP
                            2024-11-05T12:44:11.297865+010020365941Malware Command and Control Activity Detected192.168.2.550156198.23.227.21232583TCP
                            2024-11-05T12:44:11.833364+010020365941Malware Command and Control Activity Detected192.168.2.550157198.23.227.21232583TCP
                            2024-11-05T12:44:12.366813+010020365941Malware Command and Control Activity Detected192.168.2.550158198.23.227.21232583TCP
                            2024-11-05T12:44:12.887760+010020365941Malware Command and Control Activity Detected192.168.2.550159198.23.227.21232583TCP
                            2024-11-05T12:44:14.092290+010020365941Malware Command and Control Activity Detected192.168.2.550160198.23.227.21232583TCP
                            2024-11-05T12:44:14.623763+010020365941Malware Command and Control Activity Detected192.168.2.550161198.23.227.21232583TCP
                            2024-11-05T12:44:15.167873+010020365941Malware Command and Control Activity Detected192.168.2.550162198.23.227.21232583TCP
                            2024-11-05T12:44:15.699653+010020365941Malware Command and Control Activity Detected192.168.2.550163198.23.227.21232583TCP
                            2024-11-05T12:44:16.238179+010020365941Malware Command and Control Activity Detected192.168.2.550164198.23.227.21232583TCP
                            2024-11-05T12:44:16.755767+010020365941Malware Command and Control Activity Detected192.168.2.550165198.23.227.21232583TCP
                            2024-11-05T12:44:17.301505+010020365941Malware Command and Control Activity Detected192.168.2.550166198.23.227.21232583TCP
                            2024-11-05T12:44:17.823427+010020365941Malware Command and Control Activity Detected192.168.2.550167198.23.227.21232583TCP
                            2024-11-05T12:44:18.348744+010020365941Malware Command and Control Activity Detected192.168.2.550168198.23.227.21232583TCP
                            2024-11-05T12:44:18.883698+010020365941Malware Command and Control Activity Detected192.168.2.550169198.23.227.21232583TCP
                            2024-11-05T12:44:19.427743+010020365941Malware Command and Control Activity Detected192.168.2.550170198.23.227.21232583TCP
                            2024-11-05T12:44:19.958301+010020365941Malware Command and Control Activity Detected192.168.2.550171198.23.227.21232583TCP
                            2024-11-05T12:44:20.475439+010020365941Malware Command and Control Activity Detected192.168.2.550172198.23.227.21232583TCP
                            2024-11-05T12:44:21.007406+010020365941Malware Command and Control Activity Detected192.168.2.550173198.23.227.21232583TCP
                            2024-11-05T12:44:21.556218+010020365941Malware Command and Control Activity Detected192.168.2.550174198.23.227.21232583TCP
                            2024-11-05T12:44:22.085316+010020365941Malware Command and Control Activity Detected192.168.2.550175198.23.227.21232583TCP
                            2024-11-05T12:44:22.608430+010020365941Malware Command and Control Activity Detected192.168.2.550176198.23.227.21232583TCP
                            2024-11-05T12:44:23.163791+010020365941Malware Command and Control Activity Detected192.168.2.550177198.23.227.21232583TCP
                            2024-11-05T12:44:23.695640+010020365941Malware Command and Control Activity Detected192.168.2.550178198.23.227.21232583TCP
                            2024-11-05T12:44:24.210179+010020365941Malware Command and Control Activity Detected192.168.2.550179198.23.227.21232583TCP
                            2024-11-05T12:44:24.739735+010020365941Malware Command and Control Activity Detected192.168.2.550180198.23.227.21232583TCP
                            2024-11-05T12:44:25.271617+010020365941Malware Command and Control Activity Detected192.168.2.550181198.23.227.21232583TCP
                            2024-11-05T12:44:25.786672+010020365941Malware Command and Control Activity Detected192.168.2.550182198.23.227.21232583TCP
                            2024-11-05T12:44:26.308862+010020365941Malware Command and Control Activity Detected192.168.2.550183198.23.227.21232583TCP
                            2024-11-05T12:44:26.849798+010020365941Malware Command and Control Activity Detected192.168.2.550184198.23.227.21232583TCP
                            2024-11-05T12:44:27.366211+010020365941Malware Command and Control Activity Detected192.168.2.550185198.23.227.21232583TCP
                            2024-11-05T12:44:27.904925+010020365941Malware Command and Control Activity Detected192.168.2.550186198.23.227.21232583TCP
                            2024-11-05T12:44:28.434320+010020365941Malware Command and Control Activity Detected192.168.2.550187198.23.227.21232583TCP
                            2024-11-05T12:44:28.987796+010020365941Malware Command and Control Activity Detected192.168.2.550188198.23.227.21232583TCP
                            2024-11-05T12:44:29.558237+010020365941Malware Command and Control Activity Detected192.168.2.550189198.23.227.21232583TCP
                            2024-11-05T12:44:30.066221+010020365941Malware Command and Control Activity Detected192.168.2.550190198.23.227.21232583TCP
                            2024-11-05T12:44:30.588804+010020365941Malware Command and Control Activity Detected192.168.2.550191198.23.227.21232583TCP
                            2024-11-05T12:44:31.105074+010020365941Malware Command and Control Activity Detected192.168.2.550192198.23.227.21232583TCP
                            2024-11-05T12:44:31.622793+010020365941Malware Command and Control Activity Detected192.168.2.550193198.23.227.21232583TCP
                            2024-11-05T12:44:32.167769+010020365941Malware Command and Control Activity Detected192.168.2.550194198.23.227.21232583TCP
                            2024-11-05T12:44:32.712709+010020365941Malware Command and Control Activity Detected192.168.2.550195198.23.227.21232583TCP
                            2024-11-05T12:44:33.229889+010020365941Malware Command and Control Activity Detected192.168.2.550196198.23.227.21232583TCP
                            2024-11-05T12:44:33.755794+010020365941Malware Command and Control Activity Detected192.168.2.550197198.23.227.21232583TCP
                            2024-11-05T12:44:34.286058+010020365941Malware Command and Control Activity Detected192.168.2.550198198.23.227.21232583TCP
                            2024-11-05T12:44:34.801824+010020365941Malware Command and Control Activity Detected192.168.2.550199198.23.227.21232583TCP
                            2024-11-05T12:44:35.331769+010020365941Malware Command and Control Activity Detected192.168.2.550200198.23.227.21232583TCP
                            2024-11-05T12:44:35.859608+010020365941Malware Command and Control Activity Detected192.168.2.550201198.23.227.21232583TCP
                            2024-11-05T12:44:36.397083+010020365941Malware Command and Control Activity Detected192.168.2.550202198.23.227.21232583TCP
                            2024-11-05T12:44:36.937718+010020365941Malware Command and Control Activity Detected192.168.2.550203198.23.227.21232583TCP
                            2024-11-05T12:44:37.490310+010020365941Malware Command and Control Activity Detected192.168.2.550204198.23.227.21232583TCP
                            2024-11-05T12:44:38.007789+010020365941Malware Command and Control Activity Detected192.168.2.550205198.23.227.21232583TCP
                            2024-11-05T12:44:38.554974+010020365941Malware Command and Control Activity Detected192.168.2.550206198.23.227.21232583TCP
                            2024-11-05T12:44:39.076802+010020365941Malware Command and Control Activity Detected192.168.2.550207198.23.227.21232583TCP
                            2024-11-05T12:44:39.606120+010020365941Malware Command and Control Activity Detected192.168.2.550208198.23.227.21232583TCP
                            2024-11-05T12:44:40.124778+010020365941Malware Command and Control Activity Detected192.168.2.550209198.23.227.21232583TCP
                            2024-11-05T12:44:40.651761+010020365941Malware Command and Control Activity Detected192.168.2.550210198.23.227.21232583TCP
                            2024-11-05T12:44:41.187740+010020365941Malware Command and Control Activity Detected192.168.2.550211198.23.227.21232583TCP
                            2024-11-05T12:44:41.714906+010020365941Malware Command and Control Activity Detected192.168.2.550212198.23.227.21232583TCP
                            2024-11-05T12:44:42.231114+010020365941Malware Command and Control Activity Detected192.168.2.550213198.23.227.21232583TCP
                            2024-11-05T12:44:42.752512+010020365941Malware Command and Control Activity Detected192.168.2.550214198.23.227.21232583TCP
                            2024-11-05T12:44:43.289826+010020365941Malware Command and Control Activity Detected192.168.2.550215198.23.227.21232583TCP
                            2024-11-05T12:44:43.803040+010020365941Malware Command and Control Activity Detected192.168.2.550216198.23.227.21232583TCP
                            2024-11-05T12:44:44.334763+010020365941Malware Command and Control Activity Detected192.168.2.550217198.23.227.21232583TCP
                            2024-11-05T12:44:44.857112+010020365941Malware Command and Control Activity Detected192.168.2.550218198.23.227.21232583TCP
                            2024-11-05T12:44:45.411748+010020365941Malware Command and Control Activity Detected192.168.2.550219198.23.227.21232583TCP
                            2024-11-05T12:44:45.935807+010020365941Malware Command and Control Activity Detected192.168.2.550220198.23.227.21232583TCP
                            2024-11-05T12:44:46.461907+010020365941Malware Command and Control Activity Detected192.168.2.550221198.23.227.21232583TCP
                            2024-11-05T12:44:46.983157+010020365941Malware Command and Control Activity Detected192.168.2.550222198.23.227.21232583TCP
                            2024-11-05T12:44:47.515743+010020365941Malware Command and Control Activity Detected192.168.2.550223198.23.227.21232583TCP
                            2024-11-05T12:44:48.072010+010020365941Malware Command and Control Activity Detected192.168.2.550224198.23.227.21232583TCP
                            2024-11-05T12:44:48.594555+010020365941Malware Command and Control Activity Detected192.168.2.550225198.23.227.21232583TCP
                            2024-11-05T12:44:49.121768+010020365941Malware Command and Control Activity Detected192.168.2.550226198.23.227.21232583TCP
                            2024-11-05T12:44:49.639823+010020365941Malware Command and Control Activity Detected192.168.2.550227198.23.227.21232583TCP
                            2024-11-05T12:44:50.167794+010020365941Malware Command and Control Activity Detected192.168.2.550228198.23.227.21232583TCP
                            2024-11-05T12:44:50.679800+010020365941Malware Command and Control Activity Detected192.168.2.550229198.23.227.21232583TCP
                            2024-11-05T12:44:51.211186+010020365941Malware Command and Control Activity Detected192.168.2.550230198.23.227.21232583TCP
                            2024-11-05T12:44:51.733440+010020365941Malware Command and Control Activity Detected192.168.2.550231198.23.227.21232583TCP
                            2024-11-05T12:44:52.252814+010020365941Malware Command and Control Activity Detected192.168.2.550232198.23.227.21232583TCP
                            2024-11-05T12:44:52.788428+010020365941Malware Command and Control Activity Detected192.168.2.550233198.23.227.21232583TCP
                            2024-11-05T12:44:53.303862+010020365941Malware Command and Control Activity Detected192.168.2.550234198.23.227.21232583TCP
                            2024-11-05T12:44:53.839257+010020365941Malware Command and Control Activity Detected192.168.2.550235198.23.227.21232583TCP
                            2024-11-05T12:44:54.362222+010020365941Malware Command and Control Activity Detected192.168.2.550236198.23.227.21232583TCP
                            2024-11-05T12:44:54.907233+010020365941Malware Command and Control Activity Detected192.168.2.550237198.23.227.21232583TCP
                            2024-11-05T12:44:55.417842+010020365941Malware Command and Control Activity Detected192.168.2.550238198.23.227.21232583TCP
                            2024-11-05T12:44:55.948933+010020365941Malware Command and Control Activity Detected192.168.2.550239198.23.227.21232583TCP
                            2024-11-05T12:44:56.475829+010020365941Malware Command and Control Activity Detected192.168.2.550240198.23.227.21232583TCP
                            2024-11-05T12:44:56.993855+010020365941Malware Command and Control Activity Detected192.168.2.550241198.23.227.21232583TCP
                            2024-11-05T12:44:57.509374+010020365941Malware Command and Control Activity Detected192.168.2.550242198.23.227.21232583TCP
                            2024-11-05T12:44:58.024192+010020365941Malware Command and Control Activity Detected192.168.2.550243198.23.227.21232583TCP
                            2024-11-05T12:44:58.541811+010020365941Malware Command and Control Activity Detected192.168.2.550244198.23.227.21232583TCP
                            2024-11-05T12:44:59.054882+010020365941Malware Command and Control Activity Detected192.168.2.550245198.23.227.21232583TCP
                            2024-11-05T12:44:59.574991+010020365941Malware Command and Control Activity Detected192.168.2.550246198.23.227.21232583TCP
                            2024-11-05T12:45:00.087889+010020365941Malware Command and Control Activity Detected192.168.2.550247198.23.227.21232583TCP
                            2024-11-05T12:45:00.594542+010020365941Malware Command and Control Activity Detected192.168.2.550248198.23.227.21232583TCP
                            2024-11-05T12:45:01.115376+010020365941Malware Command and Control Activity Detected192.168.2.550249198.23.227.21232583TCP
                            2024-11-05T12:45:01.629850+010020365941Malware Command and Control Activity Detected192.168.2.550250198.23.227.21232583TCP
                            2024-11-05T12:45:02.165776+010020365941Malware Command and Control Activity Detected192.168.2.550251198.23.227.21232583TCP
                            2024-11-05T12:45:02.681826+010020365941Malware Command and Control Activity Detected192.168.2.550252198.23.227.21232583TCP
                            2024-11-05T12:45:03.201397+010020365941Malware Command and Control Activity Detected192.168.2.550253198.23.227.21232583TCP
                            2024-11-05T12:45:03.716004+010020365941Malware Command and Control Activity Detected192.168.2.550254198.23.227.21232583TCP
                            2024-11-05T12:45:04.229865+010020365941Malware Command and Control Activity Detected192.168.2.550255198.23.227.21232583TCP
                            2024-11-05T12:45:04.742081+010020365941Malware Command and Control Activity Detected192.168.2.550256198.23.227.21232583TCP
                            2024-11-05T12:45:05.280536+010020365941Malware Command and Control Activity Detected192.168.2.550257198.23.227.21232583TCP
                            2024-11-05T12:45:05.799769+010020365941Malware Command and Control Activity Detected192.168.2.550258198.23.227.21232583TCP
                            2024-11-05T12:45:06.311997+010020365941Malware Command and Control Activity Detected192.168.2.550259198.23.227.21232583TCP
                            2024-11-05T12:45:06.818374+010020365941Malware Command and Control Activity Detected192.168.2.550260198.23.227.21232583TCP
                            2024-11-05T12:45:07.331837+010020365941Malware Command and Control Activity Detected192.168.2.550261198.23.227.21232583TCP
                            2024-11-05T12:45:07.844204+010020365941Malware Command and Control Activity Detected192.168.2.550262198.23.227.21232583TCP
                            2024-11-05T12:45:08.364208+010020365941Malware Command and Control Activity Detected192.168.2.550263198.23.227.21232583TCP
                            2024-11-05T12:45:08.883524+010020365941Malware Command and Control Activity Detected192.168.2.550264198.23.227.21232583TCP
                            2024-11-05T12:45:09.399849+010020365941Malware Command and Control Activity Detected192.168.2.550265198.23.227.21232583TCP
                            2024-11-05T12:45:09.915856+010020365941Malware Command and Control Activity Detected192.168.2.550266198.23.227.21232583TCP
                            2024-11-05T12:45:10.431711+010020365941Malware Command and Control Activity Detected192.168.2.550267198.23.227.21232583TCP
                            2024-11-05T12:45:10.946643+010020365941Malware Command and Control Activity Detected192.168.2.550268198.23.227.21232583TCP
                            2024-11-05T12:45:11.463976+010020365941Malware Command and Control Activity Detected192.168.2.550269198.23.227.21232583TCP
                            2024-11-05T12:45:11.975816+010020365941Malware Command and Control Activity Detected192.168.2.550270198.23.227.21232583TCP
                            2024-11-05T12:45:12.490979+010020365941Malware Command and Control Activity Detected192.168.2.550271198.23.227.21232583TCP
                            2024-11-05T12:45:13.003193+010020365941Malware Command and Control Activity Detected192.168.2.550272198.23.227.21232583TCP
                            2024-11-05T12:45:13.786673+010020365941Malware Command and Control Activity Detected192.168.2.550273198.23.227.21232583TCP
                            2024-11-05T12:45:14.301565+010020365941Malware Command and Control Activity Detected192.168.2.550274198.23.227.21232583TCP
                            2024-11-05T12:45:14.827836+010020365941Malware Command and Control Activity Detected192.168.2.550275198.23.227.21232583TCP
                            2024-11-05T12:45:15.348487+010020365941Malware Command and Control Activity Detected192.168.2.550276198.23.227.21232583TCP
                            2024-11-05T12:45:15.859586+010020365941Malware Command and Control Activity Detected192.168.2.550277198.23.227.21232583TCP
                            2024-11-05T12:45:16.375881+010020365941Malware Command and Control Activity Detected192.168.2.550278198.23.227.21232583TCP
                            2024-11-05T12:45:16.888904+010020365941Malware Command and Control Activity Detected192.168.2.550279198.23.227.21232583TCP
                            2024-11-05T12:45:17.410495+010020365941Malware Command and Control Activity Detected192.168.2.550280198.23.227.21232583TCP
                            2024-11-05T12:45:17.915097+010020365941Malware Command and Control Activity Detected192.168.2.550281198.23.227.21232583TCP
                            2024-11-05T12:45:18.437984+010020365941Malware Command and Control Activity Detected192.168.2.550282198.23.227.21232583TCP
                            2024-11-05T12:45:18.953915+010020365941Malware Command and Control Activity Detected192.168.2.550283198.23.227.21232583TCP
                            2024-11-05T12:45:19.467324+010020365941Malware Command and Control Activity Detected192.168.2.550284198.23.227.21232583TCP
                            2024-11-05T12:45:20.007344+010020365941Malware Command and Control Activity Detected192.168.2.550285198.23.227.21232583TCP
                            2024-11-05T12:45:21.377464+010020365941Malware Command and Control Activity Detected192.168.2.550286198.23.227.21232583TCP
                            2024-11-05T12:45:21.887831+010020365941Malware Command and Control Activity Detected192.168.2.550287198.23.227.21232583TCP
                            2024-11-05T12:45:22.404412+010020365941Malware Command and Control Activity Detected192.168.2.550288198.23.227.21232583TCP
                            2024-11-05T12:45:22.923955+010020365941Malware Command and Control Activity Detected192.168.2.550289198.23.227.21232583TCP
                            2024-11-05T12:45:23.436883+010020365941Malware Command and Control Activity Detected192.168.2.550290198.23.227.21232583TCP
                            2024-11-05T12:45:23.952400+010020365941Malware Command and Control Activity Detected192.168.2.550291198.23.227.21232583TCP
                            2024-11-05T12:45:24.461845+010020365941Malware Command and Control Activity Detected192.168.2.550292198.23.227.21232583TCP
                            2024-11-05T12:45:24.979885+010020365941Malware Command and Control Activity Detected192.168.2.550293198.23.227.21232583TCP
                            2024-11-05T12:45:25.503788+010020365941Malware Command and Control Activity Detected192.168.2.550294198.23.227.21232583TCP
                            2024-11-05T12:45:26.017865+010020365941Malware Command and Control Activity Detected192.168.2.550295198.23.227.21232583TCP
                            2024-11-05T12:45:26.543868+010020365941Malware Command and Control Activity Detected192.168.2.550296198.23.227.21232583TCP
                            2024-11-05T12:45:27.059833+010020365941Malware Command and Control Activity Detected192.168.2.550297198.23.227.21232583TCP
                            2024-11-05T12:45:27.573025+010020365941Malware Command and Control Activity Detected192.168.2.550298198.23.227.21232583TCP
                            2024-11-05T12:45:28.086163+010020365941Malware Command and Control Activity Detected192.168.2.550299198.23.227.21232583TCP
                            2024-11-05T12:45:28.615835+010020365941Malware Command and Control Activity Detected192.168.2.550300198.23.227.21232583TCP
                            2024-11-05T12:45:29.137506+010020365941Malware Command and Control Activity Detected192.168.2.550301198.23.227.21232583TCP
                            2024-11-05T12:45:29.650091+010020365941Malware Command and Control Activity Detected192.168.2.550302198.23.227.21232583TCP
                            2024-11-05T12:45:30.175418+010020365941Malware Command and Control Activity Detected192.168.2.550303198.23.227.21232583TCP
                            2024-11-05T12:45:30.697870+010020365941Malware Command and Control Activity Detected192.168.2.550304198.23.227.21232583TCP
                            2024-11-05T12:45:31.203865+010020365941Malware Command and Control Activity Detected192.168.2.550305198.23.227.21232583TCP
                            2024-11-05T12:45:31.728247+010020365941Malware Command and Control Activity Detected192.168.2.550306198.23.227.21232583TCP
                            2024-11-05T12:45:32.250288+010020365941Malware Command and Control Activity Detected192.168.2.550307198.23.227.21232583TCP
                            2024-11-05T12:45:33.339871+010020365941Malware Command and Control Activity Detected192.168.2.550308198.23.227.21232583TCP
                            2024-11-05T12:45:34.231604+010020365941Malware Command and Control Activity Detected192.168.2.550309198.23.227.21232583TCP
                            2024-11-05T12:45:34.771887+010020365941Malware Command and Control Activity Detected192.168.2.550310198.23.227.21232583TCP
                            2024-11-05T12:45:35.555421+010020365941Malware Command and Control Activity Detected192.168.2.550311198.23.227.21232583TCP
                            2024-11-05T12:45:36.081213+010020365941Malware Command and Control Activity Detected192.168.2.550312198.23.227.21232583TCP
                            2024-11-05T12:45:36.604028+010020365941Malware Command and Control Activity Detected192.168.2.550313198.23.227.21232583TCP
                            2024-11-05T12:45:37.129806+010020365941Malware Command and Control Activity Detected192.168.2.550314198.23.227.21232583TCP
                            2024-11-05T12:45:37.642880+010020365941Malware Command and Control Activity Detected192.168.2.550315198.23.227.21232583TCP
                            2024-11-05T12:45:38.155408+010020365941Malware Command and Control Activity Detected192.168.2.550316198.23.227.21232583TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: ZeaS4nUxg4.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeAvira: detection malicious, Label: BDS/Backdoor.Gen
                            Found malware configuration
                            Source: 00000001.00000002.4497070505.00000000006AE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I7G983", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeReversingLabs: Detection: 55%
                            Multi AV Scanner detection for submitted file
                            Source: ZeaS4nUxg4.exeReversingLabs: Detection: 55%
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: ZeaS4nUxg4.exe, type: SAMPLE
                            Source: Yara matchFile source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4497070505.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2037907768.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2249150628.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2168449413.0000000000628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ZeaS4nUxg4.exe PID: 5276, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6048, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3752, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6612, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPED
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: ZeaS4nUxg4.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
                            Source: ZeaS4nUxg4.exe, 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_c094995b-f

                            Exploits

                            barindex
                            Yara detected UAC Bypass using CMSTP
                            Source: Yara matchFile source: ZeaS4nUxg4.exe, type: SAMPLE
                            Source: Yara matchFile source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ZeaS4nUxg4.exe PID: 5276, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6048, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3752, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6612, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPED

                            Privilege Escalation

                            barindex
                            Contains functionality to bypass UAC (CMSTPLUA)
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                            Source: ZeaS4nUxg4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49705 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49714 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49709 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49712 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49710 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49708 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49706 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49723 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49763 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49717 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49713 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49780 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49711 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49744 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49790 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49752 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49809 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49704 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49735 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49801 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49772 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49819 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49840 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49829 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49857 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49847 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49867 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49878 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49884 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49895 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49906 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49917 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49923 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49934 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49945 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49953 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49963 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49969 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49979 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49986 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49994 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50003 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50009 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50019 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50022 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50024 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50028 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50027 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50030 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50023 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50029 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50031 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50032 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50033 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50025 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50034 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50036 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50035 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50039 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50040 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50038 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50042 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50037 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50045 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50043 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50044 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50046 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50041 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50026 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50049 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50051 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50047 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50053 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50055 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50054 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50050 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50057 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50059 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50060 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50058 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50061 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50052 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50063 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50064 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50065 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50067 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50062 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50069 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50066 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50048 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50071 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50068 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50072 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50073 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50076 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50070 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50075 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50077 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50078 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50079 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50081 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50080 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50082 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50083 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50087 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50090 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50084 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50089 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50085 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50091 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50056 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50086 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50096 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50092 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50095 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50094 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50100 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50088 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50101 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50074 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50097 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50103 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50102 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50099 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50106 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50108 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50104 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50111 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50112 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50109 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50114 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50107 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50116 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50105 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50110 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50117 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50093 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50118 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50115 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50120 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50121 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50113 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50122 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50098 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50123 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50125 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50119 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50124 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50127 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50130 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50126 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50128 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50131 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50132 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50129 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50133 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50135 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50134 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50136 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50138 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50140 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50141 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50142 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50143 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50144 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50145 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50147 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50137 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50150 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50146 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50151 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50149 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50153 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50154 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50148 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50155 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50152 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50156 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50157 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50158 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50159 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50139 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50163 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50164 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50160 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50162 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50165 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50166 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50161 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50167 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50168 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50170 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50169 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50172 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50174 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50171 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50173 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50175 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50177 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50178 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50176 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50179 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50181 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50183 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50185 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50184 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50186 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50188 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50180 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50191 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50192 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50193 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50189 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50195 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50194 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50187 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50199 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50201 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50198 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50203 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50190 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50196 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50205 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50206 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50202 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50208 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50212 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50207 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50210 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50209 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50213 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50182 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50211 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50204 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50218 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50214 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50219 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50216 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50215 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50223 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50224 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50220 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50217 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50222 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50225 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50226 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50229 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50227 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50230 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50231 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50221 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50228 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50234 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50233 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50237 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50232 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50235 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50238 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50236 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50243 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50239 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50244 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50241 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50240 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50245 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50242 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50247 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50246 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50250 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50252 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50251 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50254 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50255 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50256 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50257 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50259 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50253 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50261 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50249 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50262 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50267 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50260 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50258 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50269 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50273 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50272 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50263 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50197 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50264 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50271 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50281 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50280 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50282 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50266 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50283 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50276 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50265 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50277 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50274 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50287 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50200 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50279 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50286 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50290 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50292 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50278 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50293 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50248 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50291 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50295 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50298 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50297 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50294 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50284 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50285 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50289 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50300 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50302 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50301 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50270 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50299 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50304 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50305 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50303 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50296 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50275 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50308 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50268 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50307 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50309 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50306 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50310 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50312 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50313 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50314 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50315 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50311 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50316 -> 198.23.227.212:32583
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50288 -> 198.23.227.212:32583
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorIPs: 198.23.227.212
                            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 198.23.227.212:32583
                            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49715
                            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49952
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004260F7 recv,0_2_004260F7
                            Source: ZeaS4nUxg4.exeString found in binary or memory: http://geoplugin.net/json.gp
                            Source: ZeaS4nUxg4.exe, yavascript.exe.0.drString found in binary or memory: http://geoplugin.net/json.gp/C

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Contains functionality to register a low level keyboard hook
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                            Source: Yara matchFile source: ZeaS4nUxg4.exe, type: SAMPLE
                            Source: Yara matchFile source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ZeaS4nUxg4.exe PID: 5276, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6048, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3752, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6612, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPED

                            E-Banking Fraud

                            barindex
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: ZeaS4nUxg4.exe, type: SAMPLE
                            Source: Yara matchFile source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4497070505.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2037907768.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2249150628.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2168449413.0000000000628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ZeaS4nUxg4.exe PID: 5276, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6048, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3752, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6612, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPED

                            Spam, unwanted Advertisements and Ransom Demands

                            barindex
                            Contains functionalty to change the wallpaper
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: ZeaS4nUxg4.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: ZeaS4nUxg4.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: ZeaS4nUxg4.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: ZeaS4nUxg4.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: yavascript.exe PID: 6048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: yavascript.exe PID: 3752, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: yavascript.exe PID: 6612, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess Stats: CPU usage > 49%
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_0041CA9E
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041D0710_2_0041D071
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004520D20_2_004520D2
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0043D0980_2_0043D098
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004371500_2_00437150
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004361AA0_2_004361AA
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004262540_2_00426254
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004313770_2_00431377
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0043651C0_2_0043651C
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041E5DF0_2_0041E5DF
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0044C7390_2_0044C739
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004367C60_2_004367C6
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004267CB0_2_004267CB
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0043C9DD0_2_0043C9DD
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00432A490_2_00432A49
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00436A8D0_2_00436A8D
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0043CC0C0_2_0043CC0C
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00436D480_2_00436D48
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00434D220_2_00434D22
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00426E730_2_00426E73
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00440E200_2_00440E20
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0043CE3B0_2_0043CE3B
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00412F450_2_00412F45
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00452F000_2_00452F00
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00426FAD0_2_00426FAD
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: String function: 00401F66 appears 50 times
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: String function: 004020E7 appears 39 times
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: String function: 004338A5 appears 42 times
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: String function: 00433FB0 appears 55 times
                            Source: ZeaS4nUxg4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: ZeaS4nUxg4.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: ZeaS4nUxg4.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: ZeaS4nUxg4.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: ZeaS4nUxg4.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: yavascript.exe PID: 6048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: yavascript.exe PID: 3752, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: yavascript.exe PID: 6612, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@5/2@0/1
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeFile created: C:\Users\user\AppData\Roaming\xenorJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-I7G983
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: Software\0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: Rmc-I7G9830_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: Exe0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: Exe0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: Rmc-I7G9830_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: 0DG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: Inj0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: Inj0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: hxc0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: 0+b0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: 0+b0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: 0+b0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: @CG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: 0+b0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: exepath0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: @CG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: exepath0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: 0+b0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: licence0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: `=G0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: dCG0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: Administrator0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: User0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: del0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: del0_2_0040D767
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCommand line argument: del0_2_0040D767
                            Source: ZeaS4nUxg4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: ZeaS4nUxg4.exeReversingLabs: Detection: 55%
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeFile read: C:\Users\user\Desktop\ZeaS4nUxg4.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\ZeaS4nUxg4.exe "C:\Users\user\Desktop\ZeaS4nUxg4.exe"
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeFile created: C:\Users\user\AppData\Roaming\xenor\yavascript.exeJump to dropped file

                            Boot Survival

                            barindex
                            Creates autostart registry keys with suspicious names
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983Jump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983Jump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983Jump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Delayed program exit found
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeWindow / User API: threadDelayed 618Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeWindow / User API: threadDelayed 9295Jump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeEvaded block: after key decisiongraph_0-46913
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeEvaded block: after key decisiongraph_0-46888
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeAPI coverage: 5.3 %
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 6156Thread sleep count: 618 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 6156Thread sleep time: -1854000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 6156Thread sleep count: 9295 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 6156Thread sleep time: -27885000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                            Source: yavascript.exe, 00000001.00000002.4497070505.00000000006AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0044E92E GetProcessHeap,0_2_0044E92E
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: EnumSystemLocalesW,0_2_004470AE
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: GetLocaleInfoW,0_2_004510BA
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: GetLocaleInfoW,0_2_004512EA
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: GetLocaleInfoW,0_2_00447597
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: GetLocaleInfoA,0_2_0040E679
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: EnumSystemLocalesW,0_2_00450CF7
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: EnumSystemLocalesW,0_2_00450D42
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: EnumSystemLocalesW,0_2_00450DDD
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434010
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044800F
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: ZeaS4nUxg4.exe, type: SAMPLE
                            Source: Yara matchFile source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4497070505.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2037907768.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2249150628.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2168449413.0000000000628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ZeaS4nUxg4.exe PID: 5276, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6048, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3752, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6612, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPED
                            Contains functionality to steal Chrome passwords or cookies
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                            Contains functionality to steal Firefox passwords or cookies
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: \key3.db0_2_0040B335

                            Remote Access Functionality

                            barindex
                            Detected Remcos RAT
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983Jump to behavior
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: ZeaS4nUxg4.exe, type: SAMPLE
                            Source: Yara matchFile source: 3.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.ZeaS4nUxg4.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4497070505.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2037907768.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2249150628.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2168449413.0000000000628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ZeaS4nUxg4.exe PID: 5276, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6048, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3752, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6612, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, type: DROPPED
                            Source: C:\Users\user\Desktop\ZeaS4nUxg4.exeCode function: cmd.exe0_2_00405042

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                            Native API                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		1
                            OS Credential Dumping                            		2
                            System Time Discovery                            		Remote Services11
                            Archive Collected Data                            		11
                            Ingress Tool Transfer                            		Exfiltration Over Other Network Medium1
                            System Shutdown/Reboot
                            CredentialsDomainsDefault Accounts12
                            Command and Scripting Interpreter                            		1
                            Windows Service                            		1
                            Bypass User Account Control                            		2
                            Obfuscated Files or Information                            		111
                            Input Capture                            		1
                            Account Discovery                            		Remote Desktop Protocol111
                            Input Capture                            		2
                            Encrypted Channel                            		Exfiltration Over Bluetooth1
                            Defacement
                            Email AddressesDNS ServerDomain Accounts2
                            Service Execution                            		11
                            Registry Run Keys / Startup Folder                            		1
                            Access Token Manipulation                            		1
                            DLL Side-Loading                            		2
                            Credentials In Files                            		1
                            System Service Discovery                            		SMB/Windows Admin Shares3
                            Clipboard Data                            		1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                            Windows Service                            		1
                            Bypass User Account Control                            		NTDS3
                            File and Directory Discovery                            		Distributed Component Object ModelInput Capture1
                            Remote Access Software                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                            Process Injection                            		1
                            Masquerading                            		LSA Secrets23
                            System Information Discovery                            		SSHKeylogging1
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                            Registry Run Keys / Startup Folder                            		1
                            Virtualization/Sandbox Evasion                            		Cached Domain Credentials121
                            Security Software Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            Access Token Manipulation                            		DCSync1
                            Virtualization/Sandbox Evasion                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                            Process Injection                            		Proc Filesystem1
                            Process Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                            Application Window Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                            System Owner/User Discovery                            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            ZeaS4nUxg4.exe55%ReversingLabsWin32.Backdoor.Remcos
                            ZeaS4nUxg4.exe100%AviraBDS/Backdoor.Gen
                            ZeaS4nUxg4.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Roaming\xenor\yavascript.exe100%AviraBDS/Backdoor.Gen
                            C:\Users\user\AppData\Roaming\xenor\yavascript.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\xenor\yavascript.exe55%ReversingLabsWin32.Backdoor.Remcos

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            No Antivirus matches

                            Domains and IPs

                            Contacted Domains

                            No contacted domains info

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://geoplugin.net/json.gpZeaS4nUxg4.exefalse
                              		high
                              http://geoplugin.net/json.gp/CZeaS4nUxg4.exe, yavascript.exe.0.drfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                198.23.227.212
                                		unknownUnited States
                                		36352AS-COLOCROSSINGUStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1549219
                                Start date and time:2024-11-05 12:40:41 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 32s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:7
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:ZeaS4nUxg4.exe
                                renamed because original name is a hash value
                                Original Sample Name:7a9cf1b27f192c4e65b215b4a126fac4aa8d34397d020568ba4590a15502cf9c.exe
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@5/2@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 96%
                                • Number of executed functions: 11
                                • Number of non-executed functions: 222
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: ZeaS4nUxg4.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                06:42:07API Interceptor4481434x Sleep call for process: yavascript.exe modified
                                12:41:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983 "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                                12:41:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983 "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                198.23.227.212documents-pdf.exeGet hashmaliciousRemcosBrowse
                                  1kZ9olJiaG.exeGet hashmaliciousRemcosBrowse
                                    ltlbVjClX9.exeGet hashmaliciousRemcosBrowse

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      AS-COLOCROSSINGUS6Ctc0o7vhqKgjU7.exeGet hashmaliciousRemcosBrowse
                                      • 192.3.64.152
                                      bestgreetingwithbestthingsevermadewithgreatthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                      • 104.168.7.52
                                      orden de compra_.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 23.95.60.88
                                      Scan docs.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                      • 104.168.7.52
                                      bin.x86.elfGet hashmaliciousMiraiBrowse
                                      • 198.12.107.126
                                      givingbestthignswithgreatheatcaptialthingstodo.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                      • 107.173.4.23
                                      Payment Advice-Ref[A22D4YdWsbE4].xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                      • 107.173.4.23
                                      ORDER-24110394.PDF.jsGet hashmaliciousUnknownBrowse
                                      • 192.3.220.6
                                      sora.mips.elfGet hashmaliciousMiraiBrowse
                                      • 104.168.36.42
                                      Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                      • 107.173.148.133

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Roaming\xenor\yavascript.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\ZeaS4nUxg4.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):493056
                                      Entropy (8bit):6.389031605624601
                                      Encrypted:false
                                      SSDEEP:12288:WuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDM:109AfNIEYsunZvZ19Z
                                      MD5:D457D91B513AC2E3A4B539C28537DA71
                                      SHA1:9FD2ACA60E95212DE7CCC546DD82729B5D050F02
                                      SHA-256:7A9CF1B27F192C4E65B215B4A126FAC4AA8D34397D020568BA4590A15502CF9C
                                      SHA-512:9DE802AD54C822F3211FB60D0379FB8DEB0DEA66FE555BEE245B42100819E5B9618928C89A53980436690F7DCCCA9EB430B348A82448A7F614841B2CE27150AE
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: unknown
                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 55%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H..........PE..L...k.$g.................`..."......:;.......p....@......................................................................... ........`...J..........................................................H...@............................................text...._.......`.................. ..`.rdata.......p.......d..............@..@.data...l]..........................@....rsrc....J...`...L..................@..@.reloc...;.......<...J..............@..B................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\xenor\yavascript.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\ZeaS4nUxg4.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):6.389031605624601
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:ZeaS4nUxg4.exe
                                      File size:493'056 bytes
                                      MD5:d457d91b513ac2e3a4b539c28537da71
                                      SHA1:9fd2aca60e95212de7ccc546dd82729b5d050f02
                                      SHA256:7a9cf1b27f192c4e65b215b4a126fac4aa8d34397d020568ba4590a15502cf9c
                                      SHA512:9de802ad54c822f3211fb60d0379fb8deb0dea66fe555bee245b42100819e5b9618928c89a53980436690f7dccca9eb430b348a82448a7f614841b2ce27150ae
                                      SSDEEP:12288:WuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDM:109AfNIEYsunZvZ19Z
                                      TLSH:A9A4BF01B6D2C072D57625300D26E775DEB9BD212835897BB3DA1D6BFE30180E63ABB1
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                      File Icon

                                      Icon Hash:95694d05214c1b33

                                      Static PE Info

                                      General

                                      Entrypoint:0x433b3a
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:829c4cf6a1c5c2df3a1bc836f906ee28

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F9018C22243h
                                      jmp 00007F9018C21B9Fh
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 00000324h
                                      push ebx
                                      push 00000017h
                                      call 00007F9018C44079h
                                      test eax, eax
                                      je 00007F9018C21D27h
                                      mov ecx, dword ptr [ebp+08h]
                                      int 29h
                                      push 00000003h
                                      call 00007F9018C21EE4h
                                      mov dword ptr [esp], 000002CCh
                                      lea eax, dword ptr [ebp-00000324h]
                                      push 00000000h
                                      push eax
                                      call 00007F9018C241FBh
                                      add esp, 0Ch
                                      mov dword ptr [ebp-00000274h], eax
                                      mov dword ptr [ebp-00000278h], ecx
                                      mov dword ptr [ebp-0000027Ch], edx
                                      mov dword ptr [ebp-00000280h], ebx
                                      mov dword ptr [ebp-00000284h], esi
                                      mov dword ptr [ebp-00000288h], edi
                                      mov word ptr [ebp-0000025Ch], ss
                                      mov word ptr [ebp-00000268h], cs
                                      mov word ptr [ebp-0000028Ch], ds
                                      mov word ptr [ebp-00000290h], es
                                      mov word ptr [ebp-00000294h], fs
                                      mov word ptr [ebp-00000298h], gs
                                      pushfd
                                      pop dword ptr [ebp-00000264h]
                                      mov eax, dword ptr [ebp+04h]
                                      mov dword ptr [ebp-0000026Ch], eax
                                      lea eax, dword ptr [ebp+04h]
                                      mov dword ptr [ebp-00000260h], eax
                                      mov dword ptr [ebp-00000324h], 00010001h
                                      mov eax, dword ptr [eax-04h]
                                      push 00000050h
                                      mov dword ptr [ebp-00000270h], eax
                                      lea eax, dword ptr [ebp-58h]
                                      push 00000000h
                                      push eax
                                      call 00007F9018C24171h

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4aa0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x55f1d0x5600030cda225e02a0d4dab478a6c7c094860False0.5738610555959303data6.62127843313247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x570000x18b000x18c002b80643378b10512badebcd4fb98e20bFalse0.49309501262626265OpenPGP Secret Key Version 65.720602067524124IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x700000x5d6c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x760000x4aa00x4c006a6d1bfa38d02f409b70f06bdd9a0f19False0.2744140625data3.829623086573013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x7b0000x3b800x3c00c911a195060b81c9af5252726a42ccf7False0.0024739583333333332data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                      RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                      RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                      RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                      RT_RCDATA0x7a5cc0x494data1.0093856655290103
                                      RT_GROUP_ICON0x7aa600x3edataEnglishUnited States0.8064516129032258

                                      Imports

                                      DLLImport
                                      KERNEL32.DLLExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                      ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                      GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                      gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                      ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                      SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                      SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                      urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                      USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                      WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile
                                      WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                      WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-11-05T12:41:32.786272+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549704198.23.227.21232583TCP
                                      2024-11-05T12:41:34.348606+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549705198.23.227.21232583TCP
                                      2024-11-05T12:41:35.871460+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549706198.23.227.21232583TCP
                                      2024-11-05T12:41:37.405154+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549707198.23.227.21232583TCP
                                      2024-11-05T12:41:38.954722+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549708198.23.227.21232583TCP
                                      2024-11-05T12:41:40.488436+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549709198.23.227.21232583TCP
                                      2024-11-05T12:41:42.022557+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549710198.23.227.21232583TCP
                                      2024-11-05T12:41:43.637742+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549711198.23.227.21232583TCP
                                      2024-11-05T12:41:45.161127+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549712198.23.227.21232583TCP
                                      2024-11-05T12:41:46.754439+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549713198.23.227.21232583TCP
                                      2024-11-05T12:41:48.288565+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549714198.23.227.21232583TCP
                                      2024-11-05T12:41:49.818315+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549717198.23.227.21232583TCP
                                      2024-11-05T12:41:50.252846+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.549715TCP
                                      2024-11-05T12:41:51.355450+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549723198.23.227.21232583TCP
                                      2024-11-05T12:41:52.893708+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549735198.23.227.21232583TCP
                                      2024-11-05T12:41:54.419605+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549744198.23.227.21232583TCP
                                      2024-11-05T12:41:55.951896+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549752198.23.227.21232583TCP
                                      2024-11-05T12:41:57.505259+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549763198.23.227.21232583TCP
                                      2024-11-05T12:41:59.021494+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549772198.23.227.21232583TCP
                                      2024-11-05T12:42:00.542402+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549780198.23.227.21232583TCP
                                      2024-11-05T12:42:02.067344+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549790198.23.227.21232583TCP
                                      2024-11-05T12:42:03.592241+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549801198.23.227.21232583TCP
                                      2024-11-05T12:42:05.115837+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549809198.23.227.21232583TCP
                                      2024-11-05T12:42:06.630577+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549819198.23.227.21232583TCP
                                      2024-11-05T12:42:08.164133+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549829198.23.227.21232583TCP
                                      2024-11-05T12:42:09.685071+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549840198.23.227.21232583TCP
                                      2024-11-05T12:42:11.205637+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549847198.23.227.21232583TCP
                                      2024-11-05T12:42:12.730956+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549857198.23.227.21232583TCP
                                      2024-11-05T12:42:14.250056+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549867198.23.227.21232583TCP
                                      2024-11-05T12:42:15.788526+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549878198.23.227.21232583TCP
                                      2024-11-05T12:42:17.337658+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549884198.23.227.21232583TCP
                                      2024-11-05T12:42:18.859526+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549895198.23.227.21232583TCP
                                      2024-11-05T12:42:20.396774+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549906198.23.227.21232583TCP
                                      2024-11-05T12:42:21.931070+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549917198.23.227.21232583TCP
                                      2024-11-05T12:42:23.417930+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549923198.23.227.21232583TCP
                                      2024-11-05T12:42:25.243343+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549934198.23.227.21232583TCP
                                      2024-11-05T12:42:26.670374+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549945198.23.227.21232583TCP
                                      2024-11-05T12:42:28.065270+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549953198.23.227.21232583TCP
                                      2024-11-05T12:42:28.568048+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.549952TCP
                                      2024-11-05T12:42:29.438467+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549963198.23.227.21232583TCP
                                      2024-11-05T12:42:30.787439+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549969198.23.227.21232583TCP
                                      2024-11-05T12:42:32.101609+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549979198.23.227.21232583TCP
                                      2024-11-05T12:42:33.386309+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549986198.23.227.21232583TCP
                                      2024-11-05T12:42:34.670115+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549994198.23.227.21232583TCP
                                      2024-11-05T12:42:35.894146+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550003198.23.227.21232583TCP
                                      2024-11-05T12:42:37.115745+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550009198.23.227.21232583TCP
                                      2024-11-05T12:42:38.333431+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550019198.23.227.21232583TCP
                                      2024-11-05T12:42:39.520588+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550022198.23.227.21232583TCP
                                      2024-11-05T12:42:40.675526+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550023198.23.227.21232583TCP
                                      2024-11-05T12:42:41.793165+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550024198.23.227.21232583TCP
                                      2024-11-05T12:42:43.061373+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550025198.23.227.21232583TCP
                                      2024-11-05T12:42:44.158035+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550026198.23.227.21232583TCP
                                      2024-11-05T12:42:45.227579+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550027198.23.227.21232583TCP
                                      2024-11-05T12:42:46.990371+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550028198.23.227.21232583TCP
                                      2024-11-05T12:42:48.022010+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550029198.23.227.21232583TCP
                                      2024-11-05T12:42:49.026948+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550030198.23.227.21232583TCP
                                      2024-11-05T12:42:50.025217+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550031198.23.227.21232583TCP
                                      2024-11-05T12:42:51.039564+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550032198.23.227.21232583TCP
                                      2024-11-05T12:42:51.997806+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550033198.23.227.21232583TCP
                                      2024-11-05T12:42:52.960204+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550034198.23.227.21232583TCP
                                      2024-11-05T12:42:54.283478+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550035198.23.227.21232583TCP
                                      2024-11-05T12:42:55.199477+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550036198.23.227.21232583TCP
                                      2024-11-05T12:42:56.113075+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550037198.23.227.21232583TCP
                                      2024-11-05T12:42:57.012887+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550038198.23.227.21232583TCP
                                      2024-11-05T12:42:57.904941+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550039198.23.227.21232583TCP
                                      2024-11-05T12:42:58.861145+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550040198.23.227.21232583TCP
                                      2024-11-05T12:42:59.717714+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550041198.23.227.21232583TCP
                                      2024-11-05T12:43:00.565042+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550042198.23.227.21232583TCP
                                      2024-11-05T12:43:01.403604+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550043198.23.227.21232583TCP
                                      2024-11-05T12:43:02.257711+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550044198.23.227.21232583TCP
                                      2024-11-05T12:43:03.075655+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550045198.23.227.21232583TCP
                                      2024-11-05T12:43:03.891235+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550046198.23.227.21232583TCP
                                      2024-11-05T12:43:04.701258+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550047198.23.227.21232583TCP
                                      2024-11-05T12:43:05.483644+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550048198.23.227.21232583TCP
                                      2024-11-05T12:43:06.269304+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550049198.23.227.21232583TCP
                                      2024-11-05T12:43:07.057593+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550050198.23.227.21232583TCP
                                      2024-11-05T12:43:07.827672+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550051198.23.227.21232583TCP
                                      2024-11-05T12:43:08.573729+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550052198.23.227.21232583TCP
                                      2024-11-05T12:43:09.342583+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550053198.23.227.21232583TCP
                                      2024-11-05T12:43:10.074118+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550054198.23.227.21232583TCP
                                      2024-11-05T12:43:10.821832+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550055198.23.227.21232583TCP
                                      2024-11-05T12:43:11.570540+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550056198.23.227.21232583TCP
                                      2024-11-05T12:43:12.299859+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550057198.23.227.21232583TCP
                                      2024-11-05T12:43:13.016186+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550058198.23.227.21232583TCP
                                      2024-11-05T12:43:13.715272+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550059198.23.227.21232583TCP
                                      2024-11-05T12:43:14.415597+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550060198.23.227.21232583TCP
                                      2024-11-05T12:43:15.107494+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550061198.23.227.21232583TCP
                                      2024-11-05T12:43:15.795594+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550062198.23.227.21232583TCP
                                      2024-11-05T12:43:16.485603+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550063198.23.227.21232583TCP
                                      2024-11-05T12:43:17.170749+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550064198.23.227.21232583TCP
                                      2024-11-05T12:43:17.839578+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550065198.23.227.21232583TCP
                                      2024-11-05T12:43:18.514770+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550066198.23.227.21232583TCP
                                      2024-11-05T12:43:19.183445+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550067198.23.227.21232583TCP
                                      2024-11-05T12:43:19.850806+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550068198.23.227.21232583TCP
                                      2024-11-05T12:43:20.497179+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550069198.23.227.21232583TCP
                                      2024-11-05T12:43:21.137321+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550070198.23.227.21232583TCP
                                      2024-11-05T12:43:21.787547+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550071198.23.227.21232583TCP
                                      2024-11-05T12:43:22.444780+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550072198.23.227.21232583TCP
                                      2024-11-05T12:43:23.081621+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550073198.23.227.21232583TCP
                                      2024-11-05T12:43:23.715645+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550074198.23.227.21232583TCP
                                      2024-11-05T12:43:24.341832+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550075198.23.227.21232583TCP
                                      2024-11-05T12:43:25.008916+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550076198.23.227.21232583TCP
                                      2024-11-05T12:43:25.628816+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550077198.23.227.21232583TCP
                                      2024-11-05T12:43:26.296307+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550078198.23.227.21232583TCP
                                      2024-11-05T12:43:26.940948+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550079198.23.227.21232583TCP
                                      2024-11-05T12:43:27.615619+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550080198.23.227.21232583TCP
                                      2024-11-05T12:43:28.230995+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550081198.23.227.21232583TCP
                                      2024-11-05T12:43:28.831837+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550082198.23.227.21232583TCP
                                      2024-11-05T12:43:29.443600+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550083198.23.227.21232583TCP
                                      2024-11-05T12:43:30.045607+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550084198.23.227.21232583TCP
                                      2024-11-05T12:43:30.642841+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550085198.23.227.21232583TCP
                                      2024-11-05T12:43:31.229886+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550086198.23.227.21232583TCP
                                      2024-11-05T12:43:31.823716+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550087198.23.227.21232583TCP
                                      2024-11-05T12:43:32.417618+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550088198.23.227.21232583TCP
                                      2024-11-05T12:43:33.013567+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550089198.23.227.21232583TCP
                                      2024-11-05T12:43:33.615634+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550090198.23.227.21232583TCP
                                      2024-11-05T12:43:34.202575+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550091198.23.227.21232583TCP
                                      2024-11-05T12:43:34.781374+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550092198.23.227.21232583TCP
                                      2024-11-05T12:43:35.543698+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550093198.23.227.21232583TCP
                                      2024-11-05T12:43:36.135688+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550094198.23.227.21232583TCP
                                      2024-11-05T12:43:36.717696+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550095198.23.227.21232583TCP
                                      2024-11-05T12:43:37.285549+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550096198.23.227.21232583TCP
                                      2024-11-05T12:43:37.858168+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550097198.23.227.21232583TCP
                                      2024-11-05T12:43:38.447660+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550098198.23.227.21232583TCP
                                      2024-11-05T12:43:39.038730+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550099198.23.227.21232583TCP
                                      2024-11-05T12:43:39.601714+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550100198.23.227.21232583TCP
                                      2024-11-05T12:43:40.192572+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550101198.23.227.21232583TCP
                                      2024-11-05T12:43:40.786674+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550102198.23.227.21232583TCP
                                      2024-11-05T12:43:41.357265+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550103198.23.227.21232583TCP
                                      2024-11-05T12:43:41.917098+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550104198.23.227.21232583TCP
                                      2024-11-05T12:43:42.491656+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550105198.23.227.21232583TCP
                                      2024-11-05T12:43:43.046211+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550106198.23.227.21232583TCP
                                      2024-11-05T12:43:43.607761+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550107198.23.227.21232583TCP
                                      2024-11-05T12:43:44.183654+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550108198.23.227.21232583TCP
                                      2024-11-05T12:43:44.755716+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550109198.23.227.21232583TCP
                                      2024-11-05T12:43:45.335339+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550110198.23.227.21232583TCP
                                      2024-11-05T12:43:45.886169+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550111198.23.227.21232583TCP
                                      2024-11-05T12:43:46.458169+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550112198.23.227.21232583TCP
                                      2024-11-05T12:43:47.034579+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550113198.23.227.21232583TCP
                                      2024-11-05T12:43:47.615436+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550114198.23.227.21232583TCP
                                      2024-11-05T12:43:48.224271+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550115198.23.227.21232583TCP
                                      2024-11-05T12:43:48.803256+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550116198.23.227.21232583TCP
                                      2024-11-05T12:43:49.348377+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550117198.23.227.21232583TCP
                                      2024-11-05T12:43:49.888140+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550118198.23.227.21232583TCP
                                      2024-11-05T12:43:50.435702+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550119198.23.227.21232583TCP
                                      2024-11-05T12:43:50.983710+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550120198.23.227.21232583TCP
                                      2024-11-05T12:43:51.555338+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550121198.23.227.21232583TCP
                                      2024-11-05T12:43:52.104880+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550122198.23.227.21232583TCP
                                      2024-11-05T12:43:52.653820+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550123198.23.227.21232583TCP
                                      2024-11-05T12:43:53.195337+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550124198.23.227.21232583TCP
                                      2024-11-05T12:43:53.732023+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550125198.23.227.21232583TCP
                                      2024-11-05T12:43:54.309705+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550126198.23.227.21232583TCP
                                      2024-11-05T12:43:54.857923+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550127198.23.227.21232583TCP
                                      2024-11-05T12:43:55.401816+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550128198.23.227.21232583TCP
                                      2024-11-05T12:43:55.935391+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550129198.23.227.21232583TCP
                                      2024-11-05T12:43:56.481705+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550130198.23.227.21232583TCP
                                      2024-11-05T12:43:57.056275+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550131198.23.227.21232583TCP
                                      2024-11-05T12:43:57.595779+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550132198.23.227.21232583TCP
                                      2024-11-05T12:43:58.147233+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550133198.23.227.21232583TCP
                                      2024-11-05T12:43:58.685798+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550134198.23.227.21232583TCP
                                      2024-11-05T12:43:59.222257+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550135198.23.227.21232583TCP
                                      2024-11-05T12:43:59.764331+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550136198.23.227.21232583TCP
                                      2024-11-05T12:44:00.323895+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550137198.23.227.21232583TCP
                                      2024-11-05T12:44:01.070565+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550138198.23.227.21232583TCP
                                      2024-11-05T12:44:01.616367+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550139198.23.227.21232583TCP
                                      2024-11-05T12:44:02.155728+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550140198.23.227.21232583TCP
                                      2024-11-05T12:44:02.683392+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550141198.23.227.21232583TCP
                                      2024-11-05T12:44:03.219797+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550142198.23.227.21232583TCP
                                      2024-11-05T12:44:03.759407+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550143198.23.227.21232583TCP
                                      2024-11-05T12:44:04.290620+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550144198.23.227.21232583TCP
                                      2024-11-05T12:44:04.834166+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550145198.23.227.21232583TCP
                                      2024-11-05T12:44:05.391700+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550146198.23.227.21232583TCP
                                      2024-11-05T12:44:05.947698+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550147198.23.227.21232583TCP
                                      2024-11-05T12:44:06.483583+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550148198.23.227.21232583TCP
                                      2024-11-05T12:44:07.012526+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550149198.23.227.21232583TCP
                                      2024-11-05T12:44:07.543666+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550150198.23.227.21232583TCP
                                      2024-11-05T12:44:08.250452+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550151198.23.227.21232583TCP
                                      2024-11-05T12:44:08.786119+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550152198.23.227.21232583TCP
                                      2024-11-05T12:44:09.708193+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550153198.23.227.21232583TCP
                                      2024-11-05T12:44:10.231127+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550154198.23.227.21232583TCP
                                      2024-11-05T12:44:10.763760+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550155198.23.227.21232583TCP
                                      2024-11-05T12:44:11.297865+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550156198.23.227.21232583TCP
                                      2024-11-05T12:44:11.833364+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550157198.23.227.21232583TCP
                                      2024-11-05T12:44:12.366813+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550158198.23.227.21232583TCP
                                      2024-11-05T12:44:12.887760+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550159198.23.227.21232583TCP
                                      2024-11-05T12:44:14.092290+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550160198.23.227.21232583TCP
                                      2024-11-05T12:44:14.623763+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550161198.23.227.21232583TCP
                                      2024-11-05T12:44:15.167873+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550162198.23.227.21232583TCP
                                      2024-11-05T12:44:15.699653+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550163198.23.227.21232583TCP
                                      2024-11-05T12:44:16.238179+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550164198.23.227.21232583TCP
                                      2024-11-05T12:44:16.755767+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550165198.23.227.21232583TCP
                                      2024-11-05T12:44:17.301505+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550166198.23.227.21232583TCP
                                      2024-11-05T12:44:17.823427+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550167198.23.227.21232583TCP
                                      2024-11-05T12:44:18.348744+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550168198.23.227.21232583TCP
                                      2024-11-05T12:44:18.883698+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550169198.23.227.21232583TCP
                                      2024-11-05T12:44:19.427743+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550170198.23.227.21232583TCP
                                      2024-11-05T12:44:19.958301+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550171198.23.227.21232583TCP
                                      2024-11-05T12:44:20.475439+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550172198.23.227.21232583TCP
                                      2024-11-05T12:44:21.007406+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550173198.23.227.21232583TCP
                                      2024-11-05T12:44:21.556218+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550174198.23.227.21232583TCP
                                      2024-11-05T12:44:22.085316+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550175198.23.227.21232583TCP
                                      2024-11-05T12:44:22.608430+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550176198.23.227.21232583TCP
                                      2024-11-05T12:44:23.163791+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550177198.23.227.21232583TCP
                                      2024-11-05T12:44:23.695640+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550178198.23.227.21232583TCP
                                      2024-11-05T12:44:24.210179+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550179198.23.227.21232583TCP
                                      2024-11-05T12:44:24.739735+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550180198.23.227.21232583TCP
                                      2024-11-05T12:44:25.271617+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550181198.23.227.21232583TCP
                                      2024-11-05T12:44:25.786672+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550182198.23.227.21232583TCP
                                      2024-11-05T12:44:26.308862+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550183198.23.227.21232583TCP
                                      2024-11-05T12:44:26.849798+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550184198.23.227.21232583TCP
                                      2024-11-05T12:44:27.366211+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550185198.23.227.21232583TCP
                                      2024-11-05T12:44:27.904925+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550186198.23.227.21232583TCP
                                      2024-11-05T12:44:28.434320+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550187198.23.227.21232583TCP
                                      2024-11-05T12:44:28.987796+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550188198.23.227.21232583TCP
                                      2024-11-05T12:44:29.558237+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550189198.23.227.21232583TCP
                                      2024-11-05T12:44:30.066221+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550190198.23.227.21232583TCP
                                      2024-11-05T12:44:30.588804+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550191198.23.227.21232583TCP
                                      2024-11-05T12:44:31.105074+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550192198.23.227.21232583TCP
                                      2024-11-05T12:44:31.622793+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550193198.23.227.21232583TCP
                                      2024-11-05T12:44:32.167769+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550194198.23.227.21232583TCP
                                      2024-11-05T12:44:32.712709+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550195198.23.227.21232583TCP
                                      2024-11-05T12:44:33.229889+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550196198.23.227.21232583TCP
                                      2024-11-05T12:44:33.755794+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550197198.23.227.21232583TCP
                                      2024-11-05T12:44:34.286058+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550198198.23.227.21232583TCP
                                      2024-11-05T12:44:34.801824+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550199198.23.227.21232583TCP
                                      2024-11-05T12:44:35.331769+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550200198.23.227.21232583TCP
                                      2024-11-05T12:44:35.859608+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550201198.23.227.21232583TCP
                                      2024-11-05T12:44:36.397083+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550202198.23.227.21232583TCP
                                      2024-11-05T12:44:36.937718+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550203198.23.227.21232583TCP
                                      2024-11-05T12:44:37.490310+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550204198.23.227.21232583TCP
                                      2024-11-05T12:44:38.007789+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550205198.23.227.21232583TCP
                                      2024-11-05T12:44:38.554974+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550206198.23.227.21232583TCP
                                      2024-11-05T12:44:39.076802+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550207198.23.227.21232583TCP
                                      2024-11-05T12:44:39.606120+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550208198.23.227.21232583TCP
                                      2024-11-05T12:44:40.124778+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550209198.23.227.21232583TCP
                                      2024-11-05T12:44:40.651761+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550210198.23.227.21232583TCP
                                      2024-11-05T12:44:41.187740+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550211198.23.227.21232583TCP
                                      2024-11-05T12:44:41.714906+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550212198.23.227.21232583TCP
                                      2024-11-05T12:44:42.231114+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550213198.23.227.21232583TCP
                                      2024-11-05T12:44:42.752512+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550214198.23.227.21232583TCP
                                      2024-11-05T12:44:43.289826+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550215198.23.227.21232583TCP
                                      2024-11-05T12:44:43.803040+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550216198.23.227.21232583TCP
                                      2024-11-05T12:44:44.334763+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550217198.23.227.21232583TCP
                                      2024-11-05T12:44:44.857112+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550218198.23.227.21232583TCP
                                      2024-11-05T12:44:45.411748+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550219198.23.227.21232583TCP
                                      2024-11-05T12:44:45.935807+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550220198.23.227.21232583TCP
                                      2024-11-05T12:44:46.461907+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550221198.23.227.21232583TCP
                                      2024-11-05T12:44:46.983157+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550222198.23.227.21232583TCP
                                      2024-11-05T12:44:47.515743+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550223198.23.227.21232583TCP
                                      2024-11-05T12:44:48.072010+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550224198.23.227.21232583TCP
                                      2024-11-05T12:44:48.594555+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550225198.23.227.21232583TCP
                                      2024-11-05T12:44:49.121768+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550226198.23.227.21232583TCP
                                      2024-11-05T12:44:49.639823+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550227198.23.227.21232583TCP
                                      2024-11-05T12:44:50.167794+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550228198.23.227.21232583TCP
                                      2024-11-05T12:44:50.679800+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550229198.23.227.21232583TCP
                                      2024-11-05T12:44:51.211186+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550230198.23.227.21232583TCP
                                      2024-11-05T12:44:51.733440+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550231198.23.227.21232583TCP
                                      2024-11-05T12:44:52.252814+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550232198.23.227.21232583TCP
                                      2024-11-05T12:44:52.788428+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550233198.23.227.21232583TCP
                                      2024-11-05T12:44:53.303862+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550234198.23.227.21232583TCP
                                      2024-11-05T12:44:53.839257+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550235198.23.227.21232583TCP
                                      2024-11-05T12:44:54.362222+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550236198.23.227.21232583TCP
                                      2024-11-05T12:44:54.907233+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550237198.23.227.21232583TCP
                                      2024-11-05T12:44:55.417842+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550238198.23.227.21232583TCP
                                      2024-11-05T12:44:55.948933+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550239198.23.227.21232583TCP
                                      2024-11-05T12:44:56.475829+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550240198.23.227.21232583TCP
                                      2024-11-05T12:44:56.993855+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550241198.23.227.21232583TCP
                                      2024-11-05T12:44:57.509374+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550242198.23.227.21232583TCP
                                      2024-11-05T12:44:58.024192+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550243198.23.227.21232583TCP
                                      2024-11-05T12:44:58.541811+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550244198.23.227.21232583TCP
                                      2024-11-05T12:44:59.054882+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550245198.23.227.21232583TCP
                                      2024-11-05T12:44:59.574991+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550246198.23.227.21232583TCP
                                      2024-11-05T12:45:00.087889+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550247198.23.227.21232583TCP
                                      2024-11-05T12:45:00.594542+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550248198.23.227.21232583TCP
                                      2024-11-05T12:45:01.115376+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550249198.23.227.21232583TCP
                                      2024-11-05T12:45:01.629850+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550250198.23.227.21232583TCP
                                      2024-11-05T12:45:02.165776+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550251198.23.227.21232583TCP
                                      2024-11-05T12:45:02.681826+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550252198.23.227.21232583TCP
                                      2024-11-05T12:45:03.201397+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550253198.23.227.21232583TCP
                                      2024-11-05T12:45:03.716004+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550254198.23.227.21232583TCP
                                      2024-11-05T12:45:04.229865+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550255198.23.227.21232583TCP
                                      2024-11-05T12:45:04.742081+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550256198.23.227.21232583TCP
                                      2024-11-05T12:45:05.280536+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550257198.23.227.21232583TCP
                                      2024-11-05T12:45:05.799769+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550258198.23.227.21232583TCP
                                      2024-11-05T12:45:06.311997+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550259198.23.227.21232583TCP
                                      2024-11-05T12:45:06.818374+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550260198.23.227.21232583TCP
                                      2024-11-05T12:45:07.331837+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550261198.23.227.21232583TCP
                                      2024-11-05T12:45:07.844204+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550262198.23.227.21232583TCP
                                      2024-11-05T12:45:08.364208+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550263198.23.227.21232583TCP
                                      2024-11-05T12:45:08.883524+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550264198.23.227.21232583TCP
                                      2024-11-05T12:45:09.399849+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550265198.23.227.21232583TCP
                                      2024-11-05T12:45:09.915856+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550266198.23.227.21232583TCP
                                      2024-11-05T12:45:10.431711+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550267198.23.227.21232583TCP
                                      2024-11-05T12:45:10.946643+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550268198.23.227.21232583TCP
                                      2024-11-05T12:45:11.463976+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550269198.23.227.21232583TCP
                                      2024-11-05T12:45:11.975816+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550270198.23.227.21232583TCP
                                      2024-11-05T12:45:12.490979+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550271198.23.227.21232583TCP
                                      2024-11-05T12:45:13.003193+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550272198.23.227.21232583TCP
                                      2024-11-05T12:45:13.786673+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550273198.23.227.21232583TCP
                                      2024-11-05T12:45:14.301565+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550274198.23.227.21232583TCP
                                      2024-11-05T12:45:14.827836+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550275198.23.227.21232583TCP
                                      2024-11-05T12:45:15.348487+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550276198.23.227.21232583TCP
                                      2024-11-05T12:45:15.859586+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550277198.23.227.21232583TCP
                                      2024-11-05T12:45:16.375881+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550278198.23.227.21232583TCP
                                      2024-11-05T12:45:16.888904+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550279198.23.227.21232583TCP
                                      2024-11-05T12:45:17.410495+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550280198.23.227.21232583TCP
                                      2024-11-05T12:45:17.915097+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550281198.23.227.21232583TCP
                                      2024-11-05T12:45:18.437984+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550282198.23.227.21232583TCP
                                      2024-11-05T12:45:18.953915+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550283198.23.227.21232583TCP
                                      2024-11-05T12:45:19.467324+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550284198.23.227.21232583TCP
                                      2024-11-05T12:45:20.007344+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550285198.23.227.21232583TCP
                                      2024-11-05T12:45:21.377464+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550286198.23.227.21232583TCP
                                      2024-11-05T12:45:21.887831+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550287198.23.227.21232583TCP
                                      2024-11-05T12:45:22.404412+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550288198.23.227.21232583TCP
                                      2024-11-05T12:45:22.923955+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550289198.23.227.21232583TCP
                                      2024-11-05T12:45:23.436883+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550290198.23.227.21232583TCP
                                      2024-11-05T12:45:23.952400+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550291198.23.227.21232583TCP
                                      2024-11-05T12:45:24.461845+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550292198.23.227.21232583TCP
                                      2024-11-05T12:45:24.979885+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550293198.23.227.21232583TCP
                                      2024-11-05T12:45:25.503788+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550294198.23.227.21232583TCP
                                      2024-11-05T12:45:26.017865+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550295198.23.227.21232583TCP
                                      2024-11-05T12:45:26.543868+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550296198.23.227.21232583TCP
                                      2024-11-05T12:45:27.059833+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550297198.23.227.21232583TCP
                                      2024-11-05T12:45:27.573025+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550298198.23.227.21232583TCP
                                      2024-11-05T12:45:28.086163+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550299198.23.227.21232583TCP
                                      2024-11-05T12:45:28.615835+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550300198.23.227.21232583TCP
                                      2024-11-05T12:45:29.137506+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550301198.23.227.21232583TCP
                                      2024-11-05T12:45:29.650091+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550302198.23.227.21232583TCP
                                      2024-11-05T12:45:30.175418+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550303198.23.227.21232583TCP
                                      2024-11-05T12:45:30.697870+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550304198.23.227.21232583TCP
                                      2024-11-05T12:45:31.203865+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550305198.23.227.21232583TCP
                                      2024-11-05T12:45:31.728247+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550306198.23.227.21232583TCP
                                      2024-11-05T12:45:32.250288+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550307198.23.227.21232583TCP
                                      2024-11-05T12:45:33.339871+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550308198.23.227.21232583TCP
                                      2024-11-05T12:45:34.231604+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550309198.23.227.21232583TCP
                                      2024-11-05T12:45:34.771887+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550310198.23.227.21232583TCP
                                      2024-11-05T12:45:35.555421+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550311198.23.227.21232583TCP
                                      2024-11-05T12:45:36.081213+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550312198.23.227.21232583TCP
                                      2024-11-05T12:45:36.604028+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550313198.23.227.21232583TCP
                                      2024-11-05T12:45:37.129806+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550314198.23.227.21232583TCP
                                      2024-11-05T12:45:37.642880+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550315198.23.227.21232583TCP
                                      2024-11-05T12:45:38.155408+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.550316198.23.227.21232583TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 5, 2024 12:41:32.273763895 CET4970432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:32.278691053 CET3258349704198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:32.278769970 CET4970432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:32.284807920 CET4970432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:32.289901018 CET3258349704198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:32.786005020 CET3258349704198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:32.786272049 CET4970432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:32.806740046 CET4970432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:32.811969995 CET3258349704198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:33.835727930 CET4970532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:33.840723991 CET3258349705198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:33.840941906 CET4970532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:33.850935936 CET4970532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:33.855998993 CET3258349705198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:34.348445892 CET3258349705198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:34.348606110 CET4970532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:34.348826885 CET4970532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:34.353560925 CET3258349705198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:35.359193087 CET4970632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:35.364072084 CET3258349706198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:35.364209890 CET4970632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:35.367929935 CET4970632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:35.372788906 CET3258349706198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:35.871359110 CET3258349706198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:35.871459961 CET4970632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:35.871649981 CET4970632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:35.876543999 CET3258349706198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:36.883378029 CET4970732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:36.888931036 CET3258349707198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:36.889025927 CET4970732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:36.972601891 CET4970732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:36.979835033 CET3258349707198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:37.405070066 CET3258349707198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:37.405153990 CET4970732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:37.405246973 CET4970732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:37.410459995 CET3258349707198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:38.421403885 CET4970832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:38.426304102 CET3258349708198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:38.426400900 CET4970832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:38.430026054 CET4970832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:38.435146093 CET3258349708198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:38.954632044 CET3258349708198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:38.954721928 CET4970832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:38.954837084 CET4970832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:38.959731102 CET3258349708198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:39.968405008 CET4970932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:39.973612070 CET3258349709198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:39.973741055 CET4970932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:39.977433920 CET4970932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:39.982439041 CET3258349709198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:40.488291025 CET3258349709198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:40.488435984 CET4970932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:40.488528967 CET4970932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:40.493393898 CET3258349709198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:41.499697924 CET4971032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:41.506349087 CET3258349710198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:41.506442070 CET4971032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:41.510261059 CET4971032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:41.517510891 CET3258349710198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:42.022439957 CET3258349710198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:42.022557020 CET4971032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:42.075040102 CET4971032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:42.080085039 CET3258349710198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:43.093463898 CET4971132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:43.098793983 CET3258349711198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:43.098905087 CET4971132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:43.102822065 CET4971132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:43.107729912 CET3258349711198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:43.637651920 CET3258349711198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:43.637742043 CET4971132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:43.637829065 CET4971132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:43.643934011 CET3258349711198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:44.640340090 CET4971232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:44.645216942 CET3258349712198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:44.645319939 CET4971232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:44.649034023 CET4971232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:44.653951883 CET3258349712198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:45.160976887 CET3258349712198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:45.161127090 CET4971232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:45.220841885 CET4971232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:45.225845098 CET3258349712198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:46.234019041 CET4971332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:46.239093065 CET3258349713198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:46.239249945 CET4971332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:46.243139982 CET4971332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:46.248164892 CET3258349713198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:46.754293919 CET3258349713198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:46.754439116 CET4971332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:46.754527092 CET4971332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:46.759387016 CET3258349713198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:47.767694950 CET4971432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:47.772727013 CET3258349714198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:47.772804976 CET4971432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:47.776854992 CET4971432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:47.781867027 CET3258349714198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:48.288491011 CET3258349714198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:48.288564920 CET4971432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:48.288629055 CET4971432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:48.293658972 CET3258349714198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:49.297789097 CET4971732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:49.302917004 CET3258349717198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:49.303103924 CET4971732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:49.307140112 CET4971732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:49.311974049 CET3258349717198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:49.817945957 CET3258349717198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:49.818315029 CET4971732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:49.818403959 CET4971732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:49.823383093 CET3258349717198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:50.832957983 CET4972332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:50.837809086 CET3258349723198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:50.837929010 CET4972332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:50.842048883 CET4972332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:50.847057104 CET3258349723198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:51.351597071 CET3258349723198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:51.355449915 CET4972332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:51.359586954 CET4972332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:51.364502907 CET3258349723198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:52.374660015 CET4973532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:52.379478931 CET3258349735198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:52.379561901 CET4973532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:52.395837069 CET4973532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:52.400772095 CET3258349735198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:52.893606901 CET3258349735198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:52.893707991 CET4973532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:52.893778086 CET4973532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:52.898696899 CET3258349735198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:53.905710936 CET4974432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:53.910530090 CET3258349744198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:53.910610914 CET4974432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:53.914474964 CET4974432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:53.919784069 CET3258349744198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:54.417081118 CET3258349744198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:54.419605017 CET4974432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:54.425615072 CET4974432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:54.430547953 CET3258349744198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:55.437119961 CET4975232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:55.442028046 CET3258349752198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:55.442209005 CET4975232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:55.445967913 CET4975232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:55.450849056 CET3258349752198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:55.951807022 CET3258349752198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:55.951895952 CET4975232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:55.951958895 CET4975232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:55.956964970 CET3258349752198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:56.968135118 CET4976332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:56.972973108 CET3258349763198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:56.973061085 CET4976332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:56.976768017 CET4976332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:56.981570005 CET3258349763198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:57.505167961 CET3258349763198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:57.505259037 CET4976332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:57.505353928 CET4976332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:57.510212898 CET3258349763198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:58.516166925 CET4977232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:58.521065950 CET3258349772198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:58.521146059 CET4977232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:58.524833918 CET4977232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:58.529690027 CET3258349772198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:59.021358013 CET3258349772198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:41:59.021493912 CET4977232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:59.021562099 CET4977232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:41:59.027112961 CET3258349772198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:00.030702114 CET4978032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:00.035578966 CET3258349780198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:00.035685062 CET4978032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:00.039668083 CET4978032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:00.044528008 CET3258349780198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:00.542282104 CET3258349780198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:00.542402029 CET4978032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:00.542530060 CET4978032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:00.547271967 CET3258349780198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:01.546466112 CET4979032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:01.551794052 CET3258349790198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:01.551971912 CET4979032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:01.555866957 CET4979032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:01.561165094 CET3258349790198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:02.067142963 CET3258349790198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:02.067343950 CET4979032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:02.067446947 CET4979032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:02.072341919 CET3258349790198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:03.079332113 CET4980132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:03.084249973 CET3258349801198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:03.084361076 CET4980132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:03.088166952 CET4980132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:03.093203068 CET3258349801198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:03.592123985 CET3258349801198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:03.592241049 CET4980132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:03.592282057 CET4980132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:03.597151995 CET3258349801198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:04.609093904 CET4980932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:04.615194082 CET3258349809198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:04.615322113 CET4980932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:04.619263887 CET4980932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:04.625379086 CET3258349809198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:05.115688086 CET3258349809198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:05.115837097 CET4980932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:05.115946054 CET4980932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:05.120703936 CET3258349809198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:06.124783993 CET4981932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:06.130156994 CET3258349819198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:06.130268097 CET4981932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:06.134027004 CET4981932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:06.139014959 CET3258349819198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:06.630494118 CET3258349819198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:06.630577087 CET4981932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:06.630651951 CET4981932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:06.636075974 CET3258349819198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:07.640434027 CET4982932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:07.645359993 CET3258349829198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:07.645482063 CET4982932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:07.649353027 CET4982932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:07.654331923 CET3258349829198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:08.163980961 CET3258349829198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:08.164133072 CET4982932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:08.164215088 CET4982932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:08.169020891 CET3258349829198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:09.171766043 CET4984032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:09.176587105 CET3258349840198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:09.176723957 CET4984032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:09.181058884 CET4984032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:09.186180115 CET3258349840198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:09.684984922 CET3258349840198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:09.685070992 CET4984032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:09.685131073 CET4984032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:09.689905882 CET3258349840198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:10.686934948 CET4984732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:10.691962004 CET3258349847198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:10.692079067 CET4984732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:10.695897102 CET4984732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:10.700767040 CET3258349847198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:11.205533028 CET3258349847198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:11.205636978 CET4984732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:11.205714941 CET4984732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:11.211522102 CET3258349847198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:12.218329906 CET4985732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:12.223611116 CET3258349857198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:12.223721027 CET4985732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:12.227488041 CET4985732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:12.232351065 CET3258349857198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:12.730822086 CET3258349857198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:12.730956078 CET4985732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:12.731059074 CET4985732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:12.736454010 CET3258349857198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:13.733938932 CET4986732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:13.738965034 CET3258349867198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:13.743534088 CET4986732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:13.747597933 CET4986732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:13.752613068 CET3258349867198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:14.249947071 CET3258349867198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:14.250056028 CET4986732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:14.250144005 CET4986732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:14.255043030 CET3258349867198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:15.265199900 CET4987832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:15.271961927 CET3258349878198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:15.272094965 CET4987832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:15.275855064 CET4987832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:15.282196999 CET3258349878198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:15.788362026 CET3258349878198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:15.788526058 CET4987832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:15.788608074 CET4987832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:15.794472933 CET3258349878198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:16.800050020 CET4988432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:16.805181026 CET3258349884198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:16.805277109 CET4988432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:16.817548990 CET4988432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:16.822473049 CET3258349884198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:17.337491035 CET3258349884198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:17.337657928 CET4988432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:17.337733984 CET4988432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:17.342654943 CET3258349884198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:18.343419075 CET4989532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:18.348390102 CET3258349895198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:18.351577044 CET4989532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:18.355779886 CET4989532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:18.360694885 CET3258349895198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:18.858154058 CET3258349895198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:18.859525919 CET4989532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:18.859587908 CET4989532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:18.864408970 CET3258349895198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:19.874560118 CET4990632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:19.879729986 CET3258349906198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:19.879858971 CET4990632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:19.883722067 CET4990632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:19.888850927 CET3258349906198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:20.396634102 CET3258349906198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:20.396774054 CET4990632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:20.400872946 CET4990632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:20.405690908 CET3258349906198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:21.405728102 CET4991732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:21.410789967 CET3258349917198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:21.410923958 CET4991732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:21.415132046 CET4991732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:21.420115948 CET3258349917198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:21.930958986 CET3258349917198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:21.931070089 CET4991732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:21.931135893 CET4991732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:21.935862064 CET3258349917198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:22.905786991 CET4992332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:22.911375046 CET3258349923198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:22.911607981 CET4992332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:22.915467024 CET4992332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:22.920363903 CET3258349923198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:23.417808056 CET3258349923198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:23.417929888 CET4992332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:23.418119907 CET4992332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:23.422991991 CET3258349923198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:24.361829996 CET4993432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:24.366848946 CET3258349934198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:24.369592905 CET4993432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:24.373476028 CET4993432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:24.378494978 CET3258349934198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:25.243221998 CET3258349934198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:25.243343115 CET4993432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:25.243454933 CET4993432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:25.248213053 CET3258349934198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:26.156130075 CET4994532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:26.161473036 CET3258349945198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:26.161592960 CET4994532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:26.165297031 CET4994532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:26.170486927 CET3258349945198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:26.670308113 CET3258349945198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:26.670373917 CET4994532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:26.670448065 CET4994532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:26.675277948 CET3258349945198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:27.546576977 CET4995332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:27.551687956 CET3258349953198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:27.551808119 CET4995332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:27.555680037 CET4995332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:27.560575008 CET3258349953198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:28.065138102 CET3258349953198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:28.065269947 CET4995332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:28.065437078 CET4995332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:28.070303917 CET3258349953198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:28.921253920 CET4996332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:28.926400900 CET3258349963198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:28.926481009 CET4996332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:28.930717945 CET4996332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:28.935803890 CET3258349963198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:29.438282967 CET3258349963198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:29.438467026 CET4996332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:29.438532114 CET4996332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:29.444737911 CET3258349963198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:30.265348911 CET4996932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:30.271384001 CET3258349969198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:30.271500111 CET4996932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:30.275285006 CET4996932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:30.281305075 CET3258349969198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:30.787363052 CET3258349969198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:30.787439108 CET4996932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:30.787513971 CET4996932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:30.792469025 CET3258349969198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:31.577734947 CET4997932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:31.582520962 CET3258349979198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:31.582627058 CET4997932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:31.586354971 CET4997932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:31.591181993 CET3258349979198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:32.099900007 CET3258349979198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:32.101608992 CET4997932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:32.101674080 CET4997932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:32.106580019 CET3258349979198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:32.874562025 CET4998632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:32.879791975 CET3258349986198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:32.879951000 CET4998632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:32.883821964 CET4998632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:32.888839006 CET3258349986198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:33.386241913 CET3258349986198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:33.386308908 CET4998632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:33.386405945 CET4998632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:33.391168118 CET3258349986198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:34.127677917 CET4999432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:34.132509947 CET3258349994198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:34.135617971 CET4999432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:34.140841007 CET4999432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:34.145729065 CET3258349994198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:34.670030117 CET3258349994198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:34.670114994 CET4999432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:34.670173883 CET4999432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:34.675054073 CET3258349994198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:35.390141964 CET5000332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:35.394990921 CET3258350003198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:35.395174980 CET5000332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:35.399054050 CET5000332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:35.403825045 CET3258350003198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:35.894068956 CET3258350003198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:35.894145966 CET5000332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:35.894223928 CET5000332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:35.898983955 CET3258350003198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:36.594980955 CET5000932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:36.599858046 CET3258350009198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:36.599929094 CET5000932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:36.607428074 CET5000932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:36.612291098 CET3258350009198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:37.115644932 CET3258350009198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:37.115745068 CET5000932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:37.157622099 CET5000932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:37.162575006 CET3258350009198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:37.827721119 CET5001932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:37.832767963 CET3258350019198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:37.832843065 CET5001932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:37.836550951 CET5001932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:37.841528893 CET3258350019198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:38.333334923 CET3258350019198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:38.333431005 CET5001932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:38.333477020 CET5001932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:38.338432074 CET3258350019198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:38.983803988 CET5002232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:38.988650084 CET3258350022198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:38.988745928 CET5002232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:38.992356062 CET5002232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:38.997100115 CET3258350022198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:39.520467043 CET3258350022198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:39.520587921 CET5002232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:39.520651102 CET5002232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:39.525846958 CET3258350022198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:40.157761097 CET5002332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:40.162796021 CET3258350023198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:40.165540934 CET5002332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:40.168836117 CET5002332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:40.173716068 CET3258350023198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:40.673113108 CET3258350023198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:40.675525904 CET5002332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:40.675575018 CET5002332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:40.680787086 CET3258350023198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:41.280607939 CET5002432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:41.285424948 CET3258350024198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:41.285502911 CET5002432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:41.288938046 CET5002432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:41.293700933 CET3258350024198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:41.793023109 CET3258350024198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:41.793164968 CET5002432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:41.793210983 CET5002432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:41.798108101 CET3258350024198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:42.389888048 CET5002532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:42.394761086 CET3258350025198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:42.397614002 CET5002532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:42.401096106 CET5002532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:42.405889988 CET3258350025198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:43.058109045 CET3258350025198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:43.061372995 CET5002532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:43.061532974 CET5002532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:43.066711903 CET3258350025198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:43.640218019 CET5002632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:43.645121098 CET3258350026198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:43.647541046 CET5002632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:43.651077986 CET5002632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:43.655838013 CET3258350026198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:44.157977104 CET3258350026198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:44.158035040 CET5002632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:44.158082962 CET5002632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:44.164467096 CET3258350026198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:44.702419996 CET5002732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:44.707421064 CET3258350027198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:44.707508087 CET5002732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:44.710897923 CET5002732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:44.715655088 CET3258350027198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:45.223815918 CET3258350027198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:45.227579117 CET5002732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:45.227696896 CET5002732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:45.232644081 CET3258350027198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:45.767760992 CET5002832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:45.773251057 CET3258350028198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:45.775549889 CET5002832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:45.778877020 CET5002832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:45.784276009 CET3258350028198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:46.990174055 CET3258350028198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:46.990370989 CET5002832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:46.990515947 CET5002832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:46.992340088 CET3258350028198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:46.992465019 CET5002832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:46.993415117 CET3258350028198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:46.993525982 CET5002832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:46.999463081 CET3258350028198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:47.499840021 CET5002932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:47.504744053 CET3258350029198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:47.504848003 CET5002932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:47.508224964 CET5002932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:47.513111115 CET3258350029198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:48.021899939 CET3258350029198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:48.022010088 CET5002932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:48.022080898 CET5002932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:48.026994944 CET3258350029198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:48.515292883 CET5003032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:48.520289898 CET3258350030198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:48.520351887 CET5003032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:48.526927948 CET5003032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:48.531698942 CET3258350030198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:49.026858091 CET3258350030198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:49.026947975 CET5003032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:49.027019978 CET5003032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:49.031935930 CET3258350030198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:49.515019894 CET5003132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:49.519860983 CET3258350031198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:49.522541046 CET5003132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:49.526163101 CET5003132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:49.531054020 CET3258350031198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:50.025043011 CET3258350031198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:50.025217056 CET5003132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:50.025259972 CET5003132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:50.030108929 CET3258350031198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:50.499583960 CET5003232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:50.504558086 CET3258350032198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:50.504690886 CET5003232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:50.508088112 CET5003232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:50.512958050 CET3258350032198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:51.036288023 CET3258350032198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:51.039563894 CET5003232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:51.039661884 CET5003232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:51.044433117 CET3258350032198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:51.483813047 CET5003332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:51.488668919 CET3258350033198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:51.488760948 CET5003332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:51.492168903 CET5003332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:51.497051954 CET3258350033198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:51.995738029 CET3258350033198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:51.997806072 CET5003332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:51.997900963 CET5003332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:52.002861977 CET3258350033198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:52.437199116 CET5003432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:52.442251921 CET3258350034198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:52.442464113 CET5003432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:52.447841883 CET5003432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:52.452719927 CET3258350034198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:52.959893942 CET3258350034198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:52.960203886 CET5003432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:52.960203886 CET5003432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:52.966269016 CET3258350034198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:53.389936924 CET5003532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:53.394841909 CET3258350035198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:53.394961119 CET5003532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:53.398390055 CET5003532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:53.403641939 CET3258350035198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:54.283406973 CET3258350035198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:54.283478022 CET5003532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:54.283561945 CET5003532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:54.288615942 CET3258350035198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:54.687123060 CET5003632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:54.692065001 CET3258350036198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:54.692213058 CET5003632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:54.695522070 CET5003632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:54.700324059 CET3258350036198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:55.199393988 CET3258350036198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:55.199476957 CET5003632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:55.199523926 CET5003632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:55.204356909 CET3258350036198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:55.597654104 CET5003732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:55.603142023 CET3258350037198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:55.605567932 CET5003732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:55.650784016 CET5003732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:55.656589985 CET3258350037198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:56.112951040 CET3258350037198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:56.113075018 CET5003732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:56.113188028 CET5003732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:56.117954016 CET3258350037198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:56.499445915 CET5003832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:56.504264116 CET3258350038198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:56.504349947 CET5003832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:56.509921074 CET5003832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:56.514722109 CET3258350038198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:57.012765884 CET3258350038198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:57.012887001 CET5003832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:57.012959957 CET5003832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:57.017734051 CET3258350038198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:57.390258074 CET5003932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:57.395327091 CET3258350039198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:57.395421982 CET5003932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:57.398880005 CET5003932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:57.403784037 CET3258350039198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:57.903727055 CET3258350039198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:57.904941082 CET5003932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:57.905040979 CET5003932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:57.909909010 CET3258350039198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:58.279166937 CET5004032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:58.284332037 CET3258350040198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:58.284451962 CET5004032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:58.293972015 CET5004032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:58.298888922 CET3258350040198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:58.861078978 CET3258350040198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:58.861145020 CET5004032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:58.861195087 CET5004032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:58.866134882 CET3258350040198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:59.202341080 CET5004132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:59.207479954 CET3258350041198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:59.207587957 CET5004132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:59.210994959 CET5004132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:59.215960979 CET3258350041198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:59.715140104 CET3258350041198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:42:59.717714071 CET5004132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:59.717714071 CET5004132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:42:59.722650051 CET3258350041198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:00.046292067 CET5004232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:00.051120043 CET3258350042198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:00.051206112 CET5004232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:00.054584026 CET5004232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:00.060880899 CET3258350042198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:00.564970970 CET3258350042198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:00.565042019 CET5004232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:00.565099955 CET5004232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:00.569884062 CET3258350042198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:00.890085936 CET5004332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:00.895144939 CET3258350043198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:00.895260096 CET5004332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:00.898565054 CET5004332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:00.903362989 CET3258350043198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:01.401221037 CET3258350043198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:01.403604031 CET5004332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:01.403798103 CET5004332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:01.409329891 CET3258350043198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:01.718228102 CET5004432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:01.723463058 CET3258350044198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:01.725588083 CET5004432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:01.729986906 CET5004432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:01.734916925 CET3258350044198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:02.257483959 CET3258350044198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:02.257710934 CET5004432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:02.257791042 CET5004432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:02.262573957 CET3258350044198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:02.562045097 CET5004532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:02.566895008 CET3258350045198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:02.567039013 CET5004532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:02.570529938 CET5004532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:02.575489998 CET3258350045198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:03.073966026 CET3258350045198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:03.075654984 CET5004532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:03.075692892 CET5004532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:03.080692053 CET3258350045198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:03.377285957 CET5004632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:03.382205963 CET3258350046198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:03.383554935 CET5004632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:03.386810064 CET5004632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:03.391868114 CET3258350046198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:03.890316963 CET3258350046198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:03.891235113 CET5004632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:03.891319036 CET5004632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:03.896519899 CET3258350046198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:04.186965942 CET5004732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:04.192800999 CET3258350047198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:04.192922115 CET5004732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:04.196168900 CET5004732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:04.202275038 CET3258350047198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:04.700908899 CET3258350047198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:04.701257944 CET5004732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:04.701257944 CET5004732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:04.706163883 CET3258350047198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:04.968236923 CET5004832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:04.973035097 CET3258350048198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:04.973134041 CET5004832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:04.976396084 CET5004832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:04.981234074 CET3258350048198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:05.479923010 CET3258350048198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:05.483644009 CET5004832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:05.483793020 CET5004832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:05.488544941 CET3258350048198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:05.749520063 CET5004932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:05.754506111 CET3258350049198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:05.755608082 CET5004932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:05.759016991 CET5004932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:05.763989925 CET3258350049198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:06.269243002 CET3258350049198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:06.269304037 CET5004932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:06.269402027 CET5004932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:06.274251938 CET3258350049198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:06.542268038 CET5005032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:06.547281027 CET3258350050198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:06.547399044 CET5005032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:06.597471952 CET5005032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:06.602421999 CET3258350050198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:07.054593086 CET3258350050198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:07.057593107 CET5005032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:07.057678938 CET5005032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:07.062560081 CET3258350050198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:07.311769962 CET5005132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:07.316601992 CET3258350051198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:07.317575932 CET5005132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:07.320993900 CET5005132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:07.325807095 CET3258350051198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:07.824508905 CET3258350051198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:07.827672005 CET5005132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:07.827871084 CET5005132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:07.832660913 CET3258350051198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:08.061714888 CET5005232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:08.067567110 CET3258350052198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:08.067651987 CET5005232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:08.071178913 CET5005232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:08.075931072 CET3258350052198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:08.573662996 CET3258350052198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:08.573729038 CET5005232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:08.573776960 CET5005232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:08.578591108 CET3258350052198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:08.811887026 CET5005332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:08.816740036 CET3258350053198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:08.816823006 CET5005332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:08.820517063 CET5005332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:08.825431108 CET3258350053198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:09.340747118 CET3258350053198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:09.342582941 CET5005332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:09.343228102 CET5005332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:09.349684000 CET3258350053198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:09.562139034 CET5005432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:09.567051888 CET3258350054198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:09.567164898 CET5005432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:09.575221062 CET5005432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:09.580660105 CET3258350054198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:10.074047089 CET3258350054198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:10.074117899 CET5005432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:10.074295044 CET5005432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:10.079138041 CET3258350054198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:10.296646118 CET5005532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:10.302594900 CET3258350055198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:10.305659056 CET5005532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:10.309106112 CET5005532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:10.314016104 CET3258350055198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:10.820122957 CET3258350055198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:10.821831942 CET5005532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:10.821831942 CET5005532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:10.826694965 CET3258350055198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:11.030708075 CET5005632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:11.037559986 CET3258350056198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:11.037786007 CET5005632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:11.041109085 CET5005632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:11.046619892 CET3258350056198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:11.570466042 CET3258350056198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:11.570539951 CET5005632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:11.570604086 CET5005632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:11.575432062 CET3258350056198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:11.780554056 CET5005732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:11.785475016 CET3258350057198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:11.785548925 CET5005732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:11.789619923 CET5005732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:11.794559002 CET3258350057198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:12.299783945 CET3258350057198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:12.299859047 CET5005732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:12.299927950 CET5005732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:12.304790974 CET3258350057198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:12.499577999 CET5005832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:12.504549980 CET3258350058198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:12.507572889 CET5005832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:12.510790110 CET5005832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:12.516047001 CET3258350058198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:13.016112089 CET3258350058198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:13.016185999 CET5005832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:13.016225100 CET5005832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:13.021116018 CET3258350058198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:13.202792883 CET5005932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:13.207937002 CET3258350059198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:13.208012104 CET5005932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:13.212713957 CET5005932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:13.217679024 CET3258350059198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:13.715156078 CET3258350059198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:13.715271950 CET5005932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:13.715334892 CET5005932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:13.720119953 CET3258350059198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:13.905775070 CET5006032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:13.910893917 CET3258350060198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:13.910979033 CET5006032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:13.914676905 CET5006032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:13.919547081 CET3258350060198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:14.412930965 CET3258350060198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:14.415596962 CET5006032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:14.415630102 CET5006032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:14.420501947 CET3258350060198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:14.592859983 CET5006132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:14.597745895 CET3258350061198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:14.599595070 CET5006132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:14.602905989 CET5006132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:14.607942104 CET3258350061198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:15.107420921 CET3258350061198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:15.107494116 CET5006132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:15.107585907 CET5006132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:15.112368107 CET3258350061198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:15.280437946 CET5006232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:15.285281897 CET3258350062198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:15.285362959 CET5006232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:15.289221048 CET5006232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:15.294047117 CET3258350062198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:15.792727947 CET3258350062198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:15.795593977 CET5006232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:15.795629025 CET5006232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:15.800487995 CET3258350062198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:15.967897892 CET5006332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:15.972727060 CET3258350063198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:15.973783970 CET5006332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:15.977108002 CET5006332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:15.981997967 CET3258350063198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:16.481956005 CET3258350063198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:16.485603094 CET5006332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:16.485639095 CET5006332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:16.492185116 CET3258350063198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:16.655303001 CET5006432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:16.661132097 CET3258350064198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:16.661604881 CET5006432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:16.664901018 CET5006432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:16.670874119 CET3258350064198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:17.167778015 CET3258350064198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:17.170748949 CET5006432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:17.170833111 CET5006432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:17.175705910 CET3258350064198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:17.327120066 CET5006532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:17.331976891 CET3258350065198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:17.332063913 CET5006532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:17.335870981 CET5006532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:17.340667009 CET3258350065198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:17.838484049 CET3258350065198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:17.839577913 CET5006532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:17.839637995 CET5006532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:17.846442938 CET3258350065198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:17.999010086 CET5006632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:18.006537914 CET3258350066198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:18.007261992 CET5006632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:18.010567904 CET5006632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:18.016046047 CET3258350066198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:18.514699936 CET3258350066198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:18.514770031 CET5006632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:18.514813900 CET5006632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:18.519630909 CET3258350066198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:18.670907974 CET5006732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:18.675821066 CET3258350067198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:18.675895929 CET5006732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:18.679299116 CET5006732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:18.684125900 CET3258350067198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:19.183361053 CET3258350067198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:19.183444977 CET5006732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:19.183538914 CET5006732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:19.188563108 CET3258350067198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:19.327203989 CET5006832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:19.332155943 CET3258350068198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:19.335578918 CET5006832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:19.338824987 CET5006832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:19.343748093 CET3258350068198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:19.850703955 CET3258350068198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:19.850805998 CET5006832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:19.850827932 CET5006832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:19.855973959 CET3258350068198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:19.983395100 CET5006932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:19.988260031 CET3258350069198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:19.991597891 CET5006932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:19.994760990 CET5006932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:19.999602079 CET3258350069198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:20.497117043 CET3258350069198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:20.497179031 CET5006932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:20.497241974 CET5006932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:20.502125978 CET3258350069198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:20.624150991 CET5007032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:20.628945112 CET3258350070198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:20.629031897 CET5007032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:20.632680893 CET5007032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:20.637528896 CET3258350070198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:21.137021065 CET3258350070198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:21.137320995 CET5007032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:21.137320995 CET5007032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:21.142200947 CET3258350070198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:21.269398928 CET5007132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:21.274434090 CET3258350071198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:21.274991989 CET5007132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:21.277729988 CET5007132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:21.282630920 CET3258350071198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:21.782702923 CET3258350071198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:21.787547112 CET5007132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:21.787933111 CET5007132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:21.792726994 CET3258350071198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:21.924524069 CET5007232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:21.929483891 CET3258350072198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:21.929711103 CET5007232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:21.935555935 CET5007232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:21.940558910 CET3258350072198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:22.444654942 CET3258350072198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:22.444780111 CET5007232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:22.444823980 CET5007232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:22.449687958 CET3258350072198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:22.561760902 CET5007332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:22.566673040 CET3258350073198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:22.566754103 CET5007332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:22.572567940 CET5007332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:22.577394009 CET3258350073198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:23.081516981 CET3258350073198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:23.081620932 CET5007332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:23.081681967 CET5007332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:23.086489916 CET3258350073198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:23.202372074 CET5007432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:23.207317114 CET3258350074198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:23.209633112 CET5007432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:23.213000059 CET5007432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:23.217850924 CET3258350074198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:23.714915037 CET3258350074198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:23.715645075 CET5007432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:23.715775013 CET5007432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:23.720544100 CET3258350074198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:23.827266932 CET5007532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:23.832288027 CET3258350075198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:23.833916903 CET5007532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:23.837088108 CET5007532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:23.842164040 CET3258350075198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:24.341762066 CET3258350075198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:24.341831923 CET5007532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:24.341908932 CET5007532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:24.346718073 CET3258350075198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:24.502139091 CET5007632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:24.507127047 CET3258350076198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:24.507196903 CET5007632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:24.515929937 CET5007632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:24.520883083 CET3258350076198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:25.008745909 CET3258350076198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:25.008915901 CET5007632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:25.008951902 CET5007632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:25.013807058 CET3258350076198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:25.124223948 CET5007732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:25.129240990 CET3258350077198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:25.129339933 CET5007732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:25.132494926 CET5007732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:25.137454033 CET3258350077198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:25.628705978 CET3258350077198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:25.628815889 CET5007732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:25.628815889 CET5007732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:25.633650064 CET3258350077198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:25.733426094 CET5007832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:25.739082098 CET3258350078198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:25.739152908 CET5007832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:25.742532015 CET5007832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:25.749908924 CET3258350078198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:26.296245098 CET3258350078198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:26.296307087 CET5007832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:26.296377897 CET5007832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:26.301413059 CET3258350078198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:26.405481100 CET5007932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:26.410346985 CET3258350079198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:26.410414934 CET5007932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:26.414815903 CET5007932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:26.419681072 CET3258350079198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:26.940834045 CET3258350079198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:26.940948009 CET5007932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:26.993545055 CET5007932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:26.998460054 CET3258350079198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:27.101213932 CET5008032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:27.106149912 CET3258350080198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:27.107595921 CET5008032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:27.135262966 CET5008032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:27.140150070 CET3258350080198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:27.613922119 CET3258350080198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:27.615618944 CET5008032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:27.615660906 CET5008032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:27.620542049 CET3258350080198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:27.717870951 CET5008132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:27.723071098 CET3258350081198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:27.723603010 CET5008132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:27.726891041 CET5008132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:27.731807947 CET3258350081198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:28.230901003 CET3258350081198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:28.230994940 CET5008132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:28.231048107 CET5008132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:28.235919952 CET3258350081198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:28.327204943 CET5008232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:28.332132101 CET3258350082198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:28.332273960 CET5008232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:28.335690975 CET5008232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:28.340632915 CET3258350082198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:28.831732035 CET3258350082198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:28.831836939 CET5008232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:28.831886053 CET5008232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:28.836716890 CET3258350082198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:28.921274900 CET5008332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:28.926270962 CET3258350083198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:28.926389933 CET5008332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:28.931771040 CET5008332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:28.936698914 CET3258350083198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:29.441045046 CET3258350083198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:29.443599939 CET5008332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:29.443633080 CET5008332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:29.448525906 CET3258350083198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:29.530760050 CET5008432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:29.535681963 CET3258350084198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:29.537827015 CET5008432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:29.541093111 CET5008432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:29.545881033 CET3258350084198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:30.044851065 CET3258350084198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:30.045607090 CET5008432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:30.045702934 CET5008432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:30.050506115 CET3258350084198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:30.124063969 CET5008532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:30.128918886 CET3258350085198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:30.129017115 CET5008532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:30.132267952 CET5008532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:30.137101889 CET3258350085198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:30.642637968 CET3258350085198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:30.642841101 CET5008532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:30.643039942 CET5008532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:30.648458958 CET3258350085198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:30.717864990 CET5008632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:30.722702026 CET3258350086198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:30.722913980 CET5008632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:30.726361036 CET5008632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:30.731153965 CET3258350086198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:31.228277922 CET3258350086198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:31.229886055 CET5008632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:31.229887009 CET5008632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:31.234884024 CET3258350086198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:31.311777115 CET5008732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:31.316941977 CET3258350087198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:31.317656994 CET5008732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:31.321017981 CET5008732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:31.325898886 CET3258350087198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:31.823577881 CET3258350087198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:31.823715925 CET5008732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:31.823753119 CET5008732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:31.828630924 CET3258350087198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:31.910753012 CET5008832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:31.915764093 CET3258350088198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:31.917599916 CET5008832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:31.976658106 CET5008832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:31.981580019 CET3258350088198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:32.417546988 CET3258350088198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:32.417618036 CET5008832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:32.417665005 CET5008832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:32.422516108 CET3258350088198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:32.499481916 CET5008932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:32.506062984 CET3258350089198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:32.506134987 CET5008932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:32.511749983 CET5008932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:32.518210888 CET3258350089198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:33.013412952 CET3258350089198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:33.013566971 CET5008932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:33.013653994 CET5008932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:33.018874884 CET3258350089198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:33.092859030 CET5009032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:33.097863913 CET3258350090198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:33.097970963 CET5009032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:33.101186037 CET5009032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:33.106095076 CET3258350090198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:33.613750935 CET3258350090198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:33.615633965 CET5009032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:33.615663052 CET5009032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:33.620629072 CET3258350090198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:33.686609983 CET5009132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:33.691576004 CET3258350091198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:33.695633888 CET5009132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:33.698971987 CET5009132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:33.703921080 CET3258350091198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:34.202516079 CET3258350091198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:34.202574968 CET5009132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:34.202641964 CET5009132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:34.207606077 CET3258350091198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:34.264959097 CET5009232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:34.269882917 CET3258350092198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:34.269951105 CET5009232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:34.274722099 CET5009232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:34.279661894 CET3258350092198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:34.781136990 CET3258350092198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:34.781373978 CET5009232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:34.809096098 CET5009232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:34.814048052 CET3258350092198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:35.002434015 CET5009332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:35.007431030 CET3258350093198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:35.007580042 CET5009332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:35.011840105 CET5009332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:35.017420053 CET3258350093198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:35.540203094 CET3258350093198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:35.543698072 CET5009332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:35.543756962 CET5009332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:35.548866034 CET3258350093198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:35.608828068 CET5009432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:35.613946915 CET3258350094198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:35.615659952 CET5009432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:35.619139910 CET5009432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:35.625551939 CET3258350094198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:36.132167101 CET3258350094198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:36.135688066 CET5009432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:36.135768890 CET5009432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:36.140803099 CET3258350094198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:36.202323914 CET5009532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:36.207276106 CET3258350095198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:36.207667112 CET5009532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:36.211253881 CET5009532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:36.216202974 CET3258350095198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:36.714148045 CET3258350095198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:36.717695951 CET5009532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:36.717803955 CET5009532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:36.722651005 CET3258350095198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:36.780563116 CET5009632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:36.785454988 CET3258350096198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:36.785725117 CET5009632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:36.796694040 CET5009632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:36.801665068 CET3258350096198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:37.285423040 CET3258350096198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:37.285548925 CET5009632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:37.285638094 CET5009632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:37.290400028 CET3258350096198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:37.343049049 CET5009732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:37.348161936 CET3258350097198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:37.348248959 CET5009732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:37.352062941 CET5009732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:37.356991053 CET3258350097198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:37.855525017 CET3258350097198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:37.858167887 CET5009732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:37.858254910 CET5009732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:37.863920927 CET3258350097198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:37.921355009 CET5009832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:37.926311016 CET3258350098198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:37.927761078 CET5009832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:37.931310892 CET5009832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:37.936266899 CET3258350098198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:38.444848061 CET3258350098198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:38.447659969 CET5009832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:38.447725058 CET5009832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:38.452471018 CET3258350098198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:38.499253035 CET5009932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:38.504060030 CET3258350099198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:38.507652998 CET5009932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:38.511451960 CET5009932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:38.516267061 CET3258350099198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:39.038583994 CET3258350099198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:39.038729906 CET5009932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:39.038754940 CET5009932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:39.043718100 CET3258350099198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:39.093514919 CET5010032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:39.098447084 CET3258350100198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:39.098545074 CET5010032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:39.103637934 CET5010032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:39.108537912 CET3258350100198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:39.598700047 CET3258350100198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:39.601713896 CET5010032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:39.634763002 CET5010032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:39.639913082 CET3258350100198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:39.686753035 CET5010132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:39.691626072 CET3258350101198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:39.691715002 CET5010132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:39.695359945 CET5010132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:39.700206041 CET3258350101198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:40.192421913 CET3258350101198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:40.192572117 CET5010132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:40.192711115 CET5010132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:40.197611094 CET3258350101198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:40.249308109 CET5010232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:40.254216909 CET3258350102198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:40.254347086 CET5010232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:40.258200884 CET5010232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:40.263040066 CET3258350102198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:40.786552906 CET3258350102198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:40.786674023 CET5010232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:40.786768913 CET5010232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:40.791766882 CET3258350102198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:40.843146086 CET5010332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:40.848083019 CET3258350103198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:40.848233938 CET5010332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:40.851758957 CET5010332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:40.856638908 CET3258350103198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:41.357194901 CET3258350103198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:41.357264996 CET5010332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:41.357383013 CET5010332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:41.362111092 CET3258350103198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:41.405926943 CET5010432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:41.410774946 CET3258350104198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:41.410856009 CET5010432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:41.416934967 CET5010432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:41.421720028 CET3258350104198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:41.916973114 CET3258350104198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:41.917098045 CET5010432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:41.917207003 CET5010432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:41.922046900 CET3258350104198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:41.969790936 CET5010532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:41.975182056 CET3258350105198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:41.975317955 CET5010532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:41.978961945 CET5010532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:41.983957052 CET3258350105198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:42.489561081 CET3258350105198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:42.491656065 CET5010532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:42.491871119 CET5010532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:42.497394085 CET3258350105198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:42.530369997 CET5010632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:42.535422087 CET3258350106198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:42.535495996 CET5010632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:42.539165020 CET5010632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:42.544006109 CET3258350106198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:43.045325994 CET3258350106198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:43.046211004 CET5010632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:43.046286106 CET5010632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:43.051055908 CET3258350106198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:43.093100071 CET5010732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:43.097965956 CET3258350107198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:43.098063946 CET5010732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:43.101557970 CET5010732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:43.106416941 CET3258350107198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:43.607526064 CET3258350107198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:43.607760906 CET5010732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:43.607841015 CET5010732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:43.612627029 CET3258350107198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:43.656177998 CET5010832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:43.661251068 CET3258350108198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:43.661465883 CET5010832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:43.672040939 CET5010832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:43.676899910 CET3258350108198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:44.180386066 CET3258350108198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:44.183654070 CET5010832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:44.183718920 CET5010832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:44.188671112 CET3258350108198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:44.233704090 CET5010932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:44.238693953 CET3258350109198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:44.239667892 CET5010932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:44.243402004 CET5010932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:44.248461008 CET3258350109198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:44.754606962 CET3258350109198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:44.755716085 CET5010932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:44.755760908 CET5010932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:44.760704041 CET3258350109198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:44.811795950 CET5011032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:44.817251921 CET3258350110198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:44.819267035 CET5011032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:44.825103045 CET5011032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:44.830082893 CET3258350110198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:45.335210085 CET3258350110198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:45.335339069 CET5011032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:45.335515022 CET5011032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:45.340352058 CET3258350110198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:45.374602079 CET5011132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:45.379568100 CET3258350111198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:45.379997969 CET5011132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:45.387759924 CET5011132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:45.392664909 CET3258350111198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:45.886050940 CET3258350111198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:45.886168957 CET5011132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:45.886218071 CET5011132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:45.891185999 CET3258350111198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:45.921154976 CET5011232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:45.926073074 CET3258350112198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:45.926228046 CET5011232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:45.929833889 CET5011232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:45.934842110 CET3258350112198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:46.458004951 CET3258350112198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:46.458168983 CET5011232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:46.458168983 CET5011232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:46.462937117 CET3258350112198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:46.499480963 CET5011332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:46.504923105 CET3258350113198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:46.505004883 CET5011332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:46.513628960 CET5011332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:46.518451929 CET3258350113198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:47.034523010 CET3258350113198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:47.034579039 CET5011332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:47.034625053 CET5011332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:47.039710045 CET3258350113198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:47.077553988 CET5011432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:47.082633972 CET3258350114198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:47.082851887 CET5011432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:47.086644888 CET5011432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:47.091463089 CET3258350114198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:47.615319967 CET3258350114198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:47.615436077 CET5011432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:47.615468025 CET5011432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:47.620331049 CET3258350114198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:47.711879969 CET5011532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:47.716774940 CET3258350115198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:47.716881037 CET5011532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:47.720650911 CET5011532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:47.725703001 CET3258350115198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:48.224123955 CET3258350115198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:48.224271059 CET5011532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:48.224332094 CET5011532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:48.229166985 CET3258350115198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:48.264930964 CET5011632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:48.270073891 CET3258350116198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:48.270319939 CET5011632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:48.273979902 CET5011632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:48.278805017 CET3258350116198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:48.803144932 CET3258350116198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:48.803256035 CET5011632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:48.803324938 CET5011632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:48.808165073 CET3258350116198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:48.843110085 CET5011732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:48.848047018 CET3258350117198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:48.848148108 CET5011732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:48.851722002 CET5011732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:48.856623888 CET3258350117198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:49.348032951 CET3258350117198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:49.348376989 CET5011732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:49.348418951 CET5011732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:49.353379011 CET3258350117198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:49.376699924 CET5011832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:49.381547928 CET3258350118198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:49.381654024 CET5011832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:49.385224104 CET5011832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:49.390089989 CET3258350118198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:49.888024092 CET3258350118198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:49.888139963 CET5011832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:49.888433933 CET5011832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:49.893146992 CET3258350118198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:49.921514034 CET5011932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:49.926491976 CET3258350119198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:49.926589966 CET5011932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:49.930460930 CET5011932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:49.935323954 CET3258350119198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:50.433897018 CET3258350119198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:50.435702085 CET5011932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:50.435832977 CET5011932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:50.440655947 CET3258350119198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:50.468400955 CET5012032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:50.473464012 CET3258350120198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:50.475707054 CET5012032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:50.484452963 CET5012032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:50.489515066 CET3258350120198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:50.982342005 CET3258350120198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:50.983710051 CET5012032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:50.983829975 CET5012032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:50.988646030 CET3258350120198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:51.015034914 CET5012132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:51.021584034 CET3258350121198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:51.023726940 CET5012132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:51.027350903 CET5012132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:51.032248974 CET3258350121198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:51.555074930 CET3258350121198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:51.555337906 CET5012132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:51.555337906 CET5012132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:51.560337067 CET3258350121198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:51.593002081 CET5012232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:51.598005056 CET3258350122198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:51.598104000 CET5012232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:51.602510929 CET5012232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:51.607383013 CET3258350122198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:52.104753971 CET3258350122198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:52.104880095 CET5012232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:52.104938984 CET5012232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:52.109811068 CET3258350122198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:52.140192032 CET5012332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:52.145128012 CET3258350123198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:52.145257950 CET5012332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:52.148792028 CET5012332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:52.153633118 CET3258350123198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:52.653482914 CET3258350123198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:52.653820038 CET5012332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:52.653889894 CET5012332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:52.658688068 CET3258350123198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:52.687473059 CET5012432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:52.692312956 CET3258350124198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:52.695724010 CET5012432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:52.701416016 CET5012432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:52.706209898 CET3258350124198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:53.195233107 CET3258350124198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:53.195337057 CET5012432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:53.195374012 CET5012432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:53.200386047 CET3258350124198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:53.217958927 CET5012532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:53.222857952 CET3258350125198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:53.222966909 CET5012532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:53.227113962 CET5012532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:53.231973886 CET3258350125198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:53.731918097 CET3258350125198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:53.732023001 CET5012532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:53.732783079 CET5012532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:53.737931013 CET3258350125198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:53.764823914 CET5012632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:53.769790888 CET3258350126198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:53.769893885 CET5012632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:53.773350000 CET5012632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:53.778192043 CET3258350126198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:54.309523106 CET3258350126198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:54.309705019 CET5012632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:54.309731007 CET5012632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:54.314623117 CET3258350126198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:54.342983961 CET5012732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:54.348001003 CET3258350127198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:54.348242044 CET5012732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:54.352171898 CET5012732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:54.357093096 CET3258350127198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:54.857043982 CET3258350127198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:54.857923031 CET5012732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:54.858216047 CET5012732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:54.863048077 CET3258350127198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:54.890250921 CET5012832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:54.895226955 CET3258350128198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:54.895433903 CET5012832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:54.899190903 CET5012832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:54.904165030 CET3258350128198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:55.401740074 CET3258350128198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:55.401815891 CET5012832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:55.401952982 CET5012832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:55.406764030 CET3258350128198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:55.421642065 CET5012932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:55.426528931 CET3258350129198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:55.426610947 CET5012932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:55.432960987 CET5012932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:55.437889099 CET3258350129198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:55.935255051 CET3258350129198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:55.935390949 CET5012932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:55.935482979 CET5012932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:55.940511942 CET3258350129198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:55.967982054 CET5013032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:55.972953081 CET3258350130198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:55.973062992 CET5013032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:55.976564884 CET5013032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:55.981492996 CET3258350130198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:56.479959011 CET3258350130198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:56.481704950 CET5013032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:56.481754065 CET5013032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:56.487198114 CET3258350130198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:56.529202938 CET5013132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:56.534198999 CET3258350131198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:56.534847975 CET5013132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:56.554676056 CET5013132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:56.559628010 CET3258350131198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:57.056170940 CET3258350131198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:57.056274891 CET5013132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:57.056319952 CET5013132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:57.062836885 CET3258350131198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:57.077491999 CET5013232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:57.084551096 CET3258350132198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:57.084707022 CET5013232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:57.088494062 CET5013232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:57.095513105 CET3258350132198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:57.593534946 CET3258350132198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:57.595778942 CET5013232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:57.595855951 CET5013232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:57.601408005 CET3258350132198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:57.624414921 CET5013332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:57.629522085 CET3258350133198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:57.630367041 CET5013332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:57.633954048 CET5013332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:57.638798952 CET3258350133198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:58.147106886 CET3258350133198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:58.147233009 CET5013332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:58.147233009 CET5013332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:58.152262926 CET3258350133198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:58.171617985 CET5013432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:58.176449060 CET3258350134198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:58.176527023 CET5013432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:58.180761099 CET5013432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:58.185683012 CET3258350134198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:58.683901072 CET3258350134198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:58.685797930 CET5013432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:58.685933113 CET5013432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:58.690905094 CET3258350134198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:58.702519894 CET5013532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:58.709953070 CET3258350135198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:58.714126110 CET5013532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:58.718698025 CET5013532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:58.724016905 CET3258350135198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:59.222136021 CET3258350135198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:59.222256899 CET5013532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:59.222290993 CET5013532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:59.227404118 CET3258350135198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:59.249279976 CET5013632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:59.254498959 CET3258350136198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:59.254602909 CET5013632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:59.257998943 CET5013632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:59.262871027 CET3258350136198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:59.764230967 CET3258350136198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:59.764331102 CET5013632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:59.764462948 CET5013632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:59.769278049 CET3258350136198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:59.784950972 CET5013732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:59.790200949 CET3258350137198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:43:59.790282965 CET5013732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:59.798032999 CET5013732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:43:59.803018093 CET3258350137198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:00.323786020 CET3258350137198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:00.323894978 CET5013732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:00.323992014 CET5013732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:00.343386889 CET5013832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:00.562927961 CET3258350137198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:00.562942028 CET3258350137198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:00.562951088 CET3258350138198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:00.563046932 CET5013732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:00.563111067 CET5013832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:00.566667080 CET5013832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:00.571573973 CET3258350138198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:01.070442915 CET3258350138198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:01.070564985 CET5013832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:01.070615053 CET5013832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:01.075571060 CET3258350138198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:01.094661951 CET5013932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:01.099884033 CET3258350139198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:01.100035906 CET5013932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:01.103571892 CET5013932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:01.108495951 CET3258350139198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:01.615818024 CET3258350139198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:01.616367102 CET5013932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:01.616367102 CET5013932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:01.621304035 CET3258350139198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:01.641146898 CET5014032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:01.646239996 CET3258350140198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:01.646709919 CET5014032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:01.650089025 CET5014032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:01.655050993 CET3258350140198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:02.152916908 CET3258350140198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:02.155728102 CET5014032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:02.157490015 CET5014032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:02.162403107 CET3258350140198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:02.171101093 CET5014132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:02.176043987 CET3258350141198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:02.176214933 CET5014132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:02.181025028 CET5014132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:02.185851097 CET3258350141198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:02.683227062 CET3258350141198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:02.683392048 CET5014132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:02.683562994 CET5014132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:02.688421965 CET3258350141198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:02.703016043 CET5014232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:02.707981110 CET3258350142198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:02.708059072 CET5014232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:02.719969988 CET5014232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:02.725008011 CET3258350142198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:03.216694117 CET3258350142198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:03.219796896 CET5014232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:03.219902992 CET5014232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:03.224673033 CET3258350142198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:03.233582020 CET5014332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:03.238619089 CET3258350143198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:03.239684105 CET5014332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:03.243177891 CET5014332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:03.248136044 CET3258350143198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:03.755639076 CET3258350143198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:03.759407043 CET5014332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:03.759594917 CET5014332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:03.764761925 CET3258350143198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:03.780678034 CET5014432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:03.785621881 CET3258350144198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:03.787722111 CET5014432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:03.791198969 CET5014432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:03.796611071 CET3258350144198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:04.290519953 CET3258350144198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:04.290620089 CET5014432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:04.290663004 CET5014432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:04.295645952 CET3258350144198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:04.311908960 CET5014532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:04.317138910 CET3258350145198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:04.317223072 CET5014532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:04.320647955 CET5014532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:04.325552940 CET3258350145198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:04.834072113 CET3258350145198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:04.834166050 CET5014532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:04.839000940 CET5014532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:04.843816042 CET3258350145198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:04.867120028 CET5014632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:04.872220993 CET3258350146198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:04.872370005 CET5014632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:04.878062010 CET5014632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:04.882988930 CET3258350146198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:05.388192892 CET3258350146198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:05.391700029 CET5014632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:05.391890049 CET5014632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:05.396651030 CET3258350146198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:05.405483007 CET5014732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:05.410365105 CET3258350147198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:05.411689997 CET5014732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:05.415174007 CET5014732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:05.419991970 CET3258350147198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:05.946633101 CET3258350147198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:05.947698116 CET5014732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:05.947792053 CET5014732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:05.952670097 CET3258350147198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:05.967950106 CET5014832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:05.973310947 CET3258350148198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:05.975713968 CET5014832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:05.979341984 CET5014832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:05.984204054 CET3258350148198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:06.483496904 CET3258350148198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:06.483582973 CET5014832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:06.485879898 CET5014832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:06.491164923 CET3258350148198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:06.499449968 CET5014932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:06.504471064 CET3258350149198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:06.504555941 CET5014932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:06.513531923 CET5014932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:06.518578053 CET3258350149198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:07.012377977 CET3258350149198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:07.012526035 CET5014932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:07.012557983 CET5014932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:07.019843102 CET3258350149198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:07.030858040 CET5015032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:07.035962105 CET3258350150198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:07.036063910 CET5015032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:07.041359901 CET5015032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:07.046273947 CET3258350150198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:07.543020964 CET3258350150198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:07.543665886 CET5015032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:07.543777943 CET5015032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:07.548593044 CET3258350150198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:07.719239950 CET5015132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:07.724236965 CET3258350151198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:07.726171017 CET5015132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:07.729655981 CET5015132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:07.734539986 CET3258350151198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:08.250359058 CET3258350151198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:08.250452042 CET5015132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:08.250518084 CET5015132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:08.255328894 CET3258350151198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:08.265013933 CET5015232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:08.270032883 CET3258350152198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:08.270145893 CET5015232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:08.273684978 CET5015232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:08.278568983 CET3258350152198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:08.785963058 CET3258350152198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:08.786118984 CET5015232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:08.786148071 CET5015232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:08.791057110 CET3258350152198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:08.796147108 CET5015332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:08.801071882 CET3258350153198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:08.801184893 CET5015332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:08.804855108 CET5015332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:08.809720993 CET3258350153198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:09.707977057 CET3258350153198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:09.708193064 CET5015332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:09.708193064 CET5015332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:09.708785057 CET3258350153198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:09.709584951 CET5015332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:09.717921019 CET5015432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:09.722543955 CET3258350153198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:09.728822947 CET3258350154198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:09.728985071 CET5015432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:09.732635021 CET5015432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:09.758929968 CET3258350154198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:10.230055094 CET3258350154198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:10.231127024 CET5015432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:10.231200933 CET5015432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:10.236023903 CET3258350154198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:10.249470949 CET5015532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:10.254995108 CET3258350155198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:10.255125046 CET5015532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:10.258685112 CET5015532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:10.263648987 CET3258350155198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:10.762139082 CET3258350155198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:10.763760090 CET5015532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:10.763842106 CET5015532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:10.768728971 CET3258350155198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:10.780529022 CET5015632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:10.785417080 CET3258350156198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:10.787705898 CET5015632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:10.791505098 CET5015632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:10.796505928 CET3258350156198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:11.297760010 CET3258350156198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:11.297864914 CET5015632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:11.297894955 CET5015632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:11.305008888 CET3258350156198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:11.311762094 CET5015732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:11.319977045 CET3258350157198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:11.320118904 CET5015732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:11.326559067 CET5015732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:11.334172010 CET3258350157198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:11.833296061 CET3258350157198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:11.833364010 CET5015732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:11.833406925 CET5015732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:11.838385105 CET3258350157198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:11.843024015 CET5015832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:11.847974062 CET3258350158198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:11.848066092 CET5015832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:11.851696014 CET5015832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:11.856617928 CET3258350158198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:12.364485025 CET3258350158198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:12.366812944 CET5015832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:12.366858006 CET5015832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:12.371747971 CET3258350158198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:12.374109030 CET5015932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:12.378988981 CET3258350159198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:12.379075050 CET5015932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:12.382379055 CET5015932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:12.387281895 CET3258350159198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:12.885481119 CET3258350159198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:12.887759924 CET5015932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:12.887865067 CET5015932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:12.892817020 CET3258350159198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:12.905523062 CET5016032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:12.910440922 CET3258350160198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:12.911721945 CET5016032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:12.915216923 CET5016032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:12.920063019 CET3258350160198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:14.092168093 CET3258350160198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:14.092242956 CET3258350160198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:14.092289925 CET5016032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.092318058 CET5016032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.092359066 CET3258350160198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:14.092422962 CET5016032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.092509985 CET5016032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.097954035 CET3258350160198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:14.108653069 CET5016132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.113523960 CET3258350161198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:14.113650084 CET5016132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.117161036 CET5016132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.122025967 CET3258350161198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:14.622576952 CET3258350161198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:14.623763084 CET5016132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.623827934 CET5016132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.628597021 CET3258350161198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:14.639900923 CET5016232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.644768000 CET3258350162198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:14.647720098 CET5016232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.651118040 CET5016232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:14.655953884 CET3258350162198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:15.167582989 CET3258350162198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:15.167872906 CET5016232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:15.167983055 CET5016232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:15.172768116 CET3258350162198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:15.186785936 CET5016332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:15.191741943 CET3258350163198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:15.191975117 CET5016332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:15.195322037 CET5016332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:15.200099945 CET3258350163198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:15.699542999 CET3258350163198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:15.699652910 CET5016332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:15.699758053 CET5016332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:15.704551935 CET3258350163198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:15.717933893 CET5016432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:15.722861052 CET3258350164198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:15.722954035 CET5016432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:15.726468086 CET5016432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:15.731290102 CET3258350164198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:16.238068104 CET3258350164198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:16.238178968 CET5016432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:16.238259077 CET5016432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:16.243077040 CET3258350164198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:16.249440908 CET5016532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:16.254297018 CET3258350165198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:16.255697966 CET5016532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:16.259438992 CET5016532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:16.264247894 CET3258350165198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:16.754688978 CET3258350165198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:16.755767107 CET5016532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:16.755939960 CET5016532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:16.760700941 CET3258350165198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:16.771177053 CET5016632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:16.776154041 CET3258350166198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:16.779730082 CET5016632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:16.863095999 CET5016632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:16.868175030 CET3258350166198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:17.301353931 CET3258350166198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:17.301505089 CET5016632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:17.301659107 CET5016632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:17.306449890 CET3258350166198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:17.311801910 CET5016732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:17.316775084 CET3258350167198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:17.316884041 CET5016732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:17.320378065 CET5016732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:17.325191021 CET3258350167198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:17.823280096 CET3258350167198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:17.823426962 CET5016732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:17.823590994 CET5016732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:17.828401089 CET3258350167198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:17.843379974 CET5016832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:17.848370075 CET3258350168198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:17.848467112 CET5016832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:17.852068901 CET5016832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:17.856837034 CET3258350168198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:18.348675966 CET3258350168198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:18.348743916 CET5016832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:18.348779917 CET5016832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:18.353596926 CET3258350168198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:18.358714104 CET5016932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:18.365360022 CET3258350169198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:18.365427971 CET5016932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:18.368916035 CET5016932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:18.375624895 CET3258350169198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:18.880039930 CET3258350169198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:18.883697987 CET5016932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:18.886476994 CET5016932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:18.891338110 CET3258350169198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:18.905426979 CET5017032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:18.910352945 CET3258350170198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:18.911704063 CET5017032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:18.915167093 CET5017032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:18.920037985 CET3258350170198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:19.425273895 CET3258350170198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:19.427742958 CET5017032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:19.429127932 CET5017032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:19.433994055 CET3258350170198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:19.445898056 CET5017132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:19.450859070 CET3258350171198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:19.451728106 CET5017132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:19.457180023 CET5017132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:19.461942911 CET3258350171198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:19.958237886 CET3258350171198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:19.958301067 CET5017132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:19.958394051 CET5017132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:19.963179111 CET3258350171198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:19.968862057 CET5017232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:19.973793983 CET3258350172198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:19.973867893 CET5017232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:19.977335930 CET5017232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:19.982269049 CET3258350172198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:20.475343943 CET3258350172198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:20.475439072 CET5017232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:20.475501060 CET5017232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:20.480268955 CET3258350172198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:20.483524084 CET5017332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:20.488514900 CET3258350173198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:20.490772009 CET5017332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:20.494379044 CET5017332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:20.499218941 CET3258350173198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:21.007339954 CET3258350173198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:21.007405996 CET5017332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:21.007507086 CET5017332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:21.012470007 CET3258350173198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:21.015007973 CET5017432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:21.020716906 CET3258350174198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:21.020920038 CET5017432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:21.024502993 CET5017432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:21.029419899 CET3258350174198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:21.554312944 CET3258350174198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:21.556217909 CET5017432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:21.556294918 CET5017432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:21.561131954 CET3258350174198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:21.562022924 CET5017532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:21.566906929 CET3258350175198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:21.571778059 CET5017532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:21.575351000 CET5017532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:21.580132961 CET3258350175198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:22.085251093 CET3258350175198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:22.085315943 CET5017532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:22.085434914 CET5017532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:22.090486050 CET3258350175198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:22.093259096 CET5017632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:22.098364115 CET3258350176198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:22.098433971 CET5017632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:22.102298021 CET5017632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:22.108335018 CET3258350176198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:22.606359005 CET3258350176198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:22.608429909 CET5017632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:22.608472109 CET5017632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:22.613337040 CET3258350176198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:22.624330044 CET5017732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:22.629189968 CET3258350177198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:22.629924059 CET5017732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:22.633456945 CET5017732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:22.638253927 CET3258350177198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:23.162236929 CET3258350177198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:23.163790941 CET5017732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:23.163849115 CET5017732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:23.168639898 CET3258350177198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:23.171099901 CET5017832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:23.175945997 CET3258350178198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:23.179724932 CET5017832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:23.183242083 CET5017832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:23.188106060 CET3258350178198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:23.695065022 CET3258350178198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:23.695640087 CET5017832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:23.695640087 CET5017832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:23.700485945 CET3258350178198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:23.703327894 CET5017932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:23.708209038 CET3258350179198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:23.708518982 CET5017932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:23.762809038 CET5017932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:23.767669916 CET3258350179198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:24.210078001 CET3258350179198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:24.210179090 CET5017932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:24.210236073 CET5017932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:24.215090036 CET3258350179198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:24.218318939 CET5018032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:24.223162889 CET3258350180198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:24.223294973 CET5018032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:24.227092028 CET5018032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:24.232059002 CET3258350180198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:24.737464905 CET3258350180198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:24.739734888 CET5018032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:24.739805937 CET5018032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:24.744627953 CET3258350180198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:24.749505043 CET5018132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:24.754463911 CET3258350181198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:24.755744934 CET5018132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:24.761907101 CET5018132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:24.766793966 CET3258350181198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:25.271488905 CET3258350181198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:25.271616936 CET5018132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:25.271672964 CET5018132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:25.276599884 CET3258350181198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:25.280543089 CET5018232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:25.285403013 CET3258350182198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:25.285509109 CET5018232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:25.288970947 CET5018232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:25.295290947 CET3258350182198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:25.786581039 CET3258350182198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:25.786672115 CET5018232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:25.786856890 CET5018232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:25.791619062 CET3258350182198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:25.796138048 CET5018332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:25.801075935 CET3258350183198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:25.801163912 CET5018332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:25.804522991 CET5018332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:25.809299946 CET3258350183198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:26.308777094 CET3258350183198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:26.308861971 CET5018332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:26.309060097 CET5018332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:26.313808918 CET3258350183198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:26.332549095 CET5018432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:26.337577105 CET3258350184198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:26.339721918 CET5018432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:26.382097960 CET5018432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:26.386986017 CET3258350184198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:26.846839905 CET3258350184198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:26.849797964 CET5018432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:26.849853992 CET5018432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:26.854710102 CET3258350184198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:26.860250950 CET5018532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:26.865245104 CET3258350185198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:26.865817070 CET5018532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:26.869966030 CET5018532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:26.874799967 CET3258350185198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:27.366067886 CET3258350185198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:27.366210938 CET5018532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:27.366267920 CET5018532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:27.371191025 CET3258350185198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:27.374234915 CET5018632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:27.379213095 CET3258350186198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:27.379352093 CET5018632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:27.382762909 CET5018632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:27.387644053 CET3258350186198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:27.904850960 CET3258350186198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:27.904925108 CET5018632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:27.905148983 CET5018632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:27.909970999 CET3258350186198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:27.921252012 CET5018732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:27.926201105 CET3258350187198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:27.926270962 CET5018732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:27.931709051 CET5018732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:27.936721087 CET3258350187198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:28.434248924 CET3258350187198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:28.434319973 CET5018732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:28.434357882 CET5018732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:28.439250946 CET3258350187198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:28.452299118 CET5018832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:28.457192898 CET3258350188198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:28.459758043 CET5018832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:28.466639996 CET5018832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:28.471450090 CET3258350188198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:28.986186981 CET3258350188198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:28.987796068 CET5018832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:29.000883102 CET5018832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:29.006438017 CET3258350188198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:29.046093941 CET5018932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:29.051063061 CET3258350189198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:29.051774025 CET5018932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:29.056966066 CET5018932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:29.061790943 CET3258350189198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:29.558077097 CET3258350189198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:29.558237076 CET5018932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:29.558445930 CET5018932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:29.561693907 CET5019032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:29.563219070 CET3258350189198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:29.566557884 CET3258350190198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:29.566629887 CET5019032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:29.570410013 CET5019032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:29.575388908 CET3258350190198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:30.066096067 CET3258350190198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:30.066220999 CET5019032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:30.066256046 CET5019032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:30.071044922 CET3258350190198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:30.077310085 CET5019132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:30.082220078 CET3258350191198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:30.082319021 CET5019132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:30.085800886 CET5019132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:30.090640068 CET3258350191198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:30.588740110 CET3258350191198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:30.588804007 CET5019132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:30.588900089 CET5019132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:30.592941999 CET5019232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:30.593755007 CET3258350191198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:30.597743988 CET3258350192198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:30.597814083 CET5019232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:30.603044033 CET5019232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:30.607954025 CET3258350192198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:31.104938984 CET3258350192198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:31.105073929 CET5019232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:31.105114937 CET5019232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:31.108666897 CET5019332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:31.110034943 CET3258350192198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:31.113598108 CET3258350193198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:31.113697052 CET5019332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:31.117072105 CET5019332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:31.121973038 CET3258350193198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:31.620172977 CET3258350193198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:31.622792959 CET5019332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:31.622957945 CET5019332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:31.627984047 CET3258350193198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:31.640182018 CET5019432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:31.645205975 CET3258350194198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:31.645822048 CET5019432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:31.649755001 CET5019432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:31.654819012 CET3258350194198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:32.163412094 CET3258350194198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:32.167768955 CET5019432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:32.167843103 CET5019432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:32.171010017 CET5019532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:32.172852993 CET3258350194198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:32.175997019 CET3258350195198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:32.179771900 CET5019532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:32.183267117 CET5019532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:32.188307047 CET3258350195198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:32.712641954 CET3258350195198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:32.712708950 CET5019532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:32.712765932 CET5019532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:32.717636108 CET3258350195198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:32.718106985 CET5019632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:32.723073006 CET3258350196198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:32.723156929 CET5019632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:32.728261948 CET5019632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:32.733103991 CET3258350196198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:33.229759932 CET3258350196198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:33.229888916 CET5019632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:33.229954958 CET5019632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:33.233505964 CET5019732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:33.234853983 CET3258350196198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:33.238372087 CET3258350197198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:33.238440037 CET5019732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:33.243182898 CET5019732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:33.248123884 CET3258350197198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:33.753000021 CET3258350197198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:33.755794048 CET5019732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:33.755904913 CET5019732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:33.760705948 CET3258350197198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:33.765050888 CET5019832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:33.769870043 CET3258350198198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:33.770081997 CET5019832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:33.773993969 CET5019832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:33.778767109 CET3258350198198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:34.285911083 CET3258350198198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:34.286057949 CET5019832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:34.286134958 CET5019832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:34.290909052 CET3258350198198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:34.296164036 CET5019932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:34.301029921 CET3258350199198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:34.301243067 CET5019932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:34.306593895 CET5019932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:34.311414957 CET3258350199198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:34.801671028 CET3258350199198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:34.801824093 CET5019932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:34.801862955 CET5019932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:34.806850910 CET3258350199198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:34.811757088 CET5020032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:34.816704035 CET3258350200198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:34.816807985 CET5020032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:34.820216894 CET5020032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:34.825150967 CET3258350200198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:35.330451012 CET3258350200198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:35.331768990 CET5020032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:35.331857920 CET5020032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:35.336827040 CET3258350200198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:35.342958927 CET5020132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:35.347870111 CET3258350201198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:35.351912975 CET5020132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:35.355278015 CET5020132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:35.360060930 CET3258350201198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:35.859457016 CET3258350201198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:35.859607935 CET5020132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:35.859652996 CET5020132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:35.864646912 CET3258350201198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:35.874357939 CET5020232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:35.879878998 CET3258350202198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:35.882039070 CET5020232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:35.885533094 CET5020232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:35.891204119 CET3258350202198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:36.397017002 CET3258350202198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:36.397083044 CET5020232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:36.397171974 CET5020232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:36.401998043 CET3258350202198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:36.405986071 CET5020332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:36.411009073 CET3258350203198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:36.411088943 CET5020332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:36.416692019 CET5020332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:36.421545029 CET3258350203198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:36.937659979 CET3258350203198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:36.937717915 CET5020332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:36.937757969 CET5020332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:36.942642927 CET3258350203198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:36.952419996 CET5020432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:36.957365990 CET3258350204198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:36.957479954 CET5020432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:36.960969925 CET5020432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:36.965825081 CET3258350204198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:37.489797115 CET3258350204198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:37.490309954 CET5020432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:37.490372896 CET5020432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:37.495321989 CET3258350204198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:37.499828100 CET5020532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:37.504832983 CET3258350205198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:37.504942894 CET5020532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:37.514775991 CET5020532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:37.519700050 CET3258350205198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:38.004117966 CET3258350205198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:38.007788897 CET5020532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:38.009186029 CET5020532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:38.014065981 CET3258350205198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:38.020586967 CET5020632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:38.025554895 CET3258350206198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:38.027767897 CET5020632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:38.096574068 CET5020632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:38.101480007 CET3258350206198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:38.554903030 CET3258350206198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:38.554974079 CET5020632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:38.555073977 CET5020632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:38.559832096 CET3258350206198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:38.562630892 CET5020732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:38.567472935 CET3258350207198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:38.567544937 CET5020732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:38.573779106 CET5020732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:38.578659058 CET3258350207198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:39.076661110 CET3258350207198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:39.076802015 CET5020732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:39.077008009 CET5020732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:39.082927942 CET3258350207198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:39.093023062 CET5020832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:39.098587990 CET3258350208198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:39.098706007 CET5020832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:39.102188110 CET5020832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:39.107062101 CET3258350208198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:39.606055021 CET3258350208198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:39.606120110 CET5020832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:39.606164932 CET5020832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:39.608495951 CET5020932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:39.611176968 CET3258350208198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:39.613300085 CET3258350209198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:39.615770102 CET5020932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:39.619138956 CET5020932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:39.624897957 CET3258350209198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:40.124696970 CET3258350209198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:40.124778032 CET5020932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:40.124841928 CET5020932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:40.130194902 CET3258350209198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:40.139933109 CET5021032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:40.145394087 CET3258350210198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:40.145500898 CET5021032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:40.148998976 CET5021032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:40.153917074 CET3258350210198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:40.645965099 CET3258350210198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:40.651761055 CET5021032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:40.659107924 CET5021032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:40.664077997 CET3258350210198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:40.671143055 CET5021132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:40.677010059 CET3258350211198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:40.677114964 CET5021132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:40.681628942 CET5021132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:40.686491013 CET3258350211198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:41.183727026 CET3258350211198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:41.187740088 CET5021132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:41.187813044 CET5021132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:41.192728043 CET3258350211198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:41.202342033 CET5021232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:41.207544088 CET3258350212198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:41.207746029 CET5021232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:41.211600065 CET5021232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:41.216442108 CET3258350212198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:41.714308023 CET3258350212198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:41.714905977 CET5021232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:41.714987993 CET5021232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:41.718128920 CET5021332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:41.719854116 CET3258350212198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:41.723258018 CET3258350213198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:41.723356009 CET5021332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:41.726825953 CET5021332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:41.731663942 CET3258350213198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:42.230902910 CET3258350213198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:42.231113911 CET5021332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:42.231265068 CET5021332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:42.233629942 CET5021432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:42.236048937 CET3258350213198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:42.238539934 CET3258350214198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:42.238691092 CET5021432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:42.242217064 CET5021432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:42.247076988 CET3258350214198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:42.752430916 CET3258350214198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:42.752511978 CET5021432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:42.752559900 CET5021432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:42.757404089 CET3258350214198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:42.765302896 CET5021532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:42.770180941 CET3258350215198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:42.770257950 CET5021532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:42.775990963 CET5021532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:42.780878067 CET3258350215198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:43.288178921 CET3258350215198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:43.289825916 CET5021532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:43.289889097 CET5021532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:43.294706106 CET3258350215198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:43.296225071 CET5021632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:43.301069975 CET3258350216198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:43.302007914 CET5021632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:43.305598974 CET5021632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:43.310478926 CET3258350216198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:43.802917957 CET3258350216198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:43.803040028 CET5021632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:43.803080082 CET5021632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:43.807934999 CET3258350216198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:43.811722040 CET5021732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:43.816596985 CET3258350217198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:43.816971064 CET5021732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:43.821043968 CET5021732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:43.827442884 CET3258350217198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:44.334600925 CET3258350217198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:44.334763050 CET5021732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:44.334830999 CET5021732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:44.339745045 CET3258350217198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:44.343044996 CET5021832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:44.348062038 CET3258350218198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:44.348162889 CET5021832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:44.351818085 CET5021832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:44.356775045 CET3258350218198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:44.857053041 CET3258350218198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:44.857111931 CET5021832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:44.857160091 CET5021832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:44.862185001 CET3258350218198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:44.874366045 CET5021932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:44.879281044 CET3258350219198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:44.879350901 CET5021932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:44.885303020 CET5021932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:44.890353918 CET3258350219198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:45.411526918 CET3258350219198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:45.411747932 CET5021932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:45.415674925 CET5021932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:45.420509100 CET3258350219198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:45.421047926 CET5022032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:45.425915003 CET3258350220198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:45.425998926 CET5022032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:45.429568052 CET5022032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:45.434398890 CET3258350220198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:45.933768988 CET3258350220198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:45.935806990 CET5022032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:45.935851097 CET5022032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:45.944082975 CET3258350220198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:45.952281952 CET5022132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:45.957487106 CET3258350221198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:45.959753036 CET5022132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:45.963088036 CET5022132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:45.969535112 CET3258350221198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:46.461766005 CET3258350221198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:46.461906910 CET5022132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:46.461961985 CET5022132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:46.467103958 CET3258350221198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:46.471240044 CET5022232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:46.476141930 CET3258350222198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:46.476227045 CET5022232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:46.479798079 CET5022232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:46.484675884 CET3258350222198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:46.983053923 CET3258350222198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:46.983156919 CET5022232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:46.983213902 CET5022232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:46.988020897 CET3258350222198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:46.999218941 CET5022332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:47.004214048 CET3258350223198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:47.004304886 CET5022332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:47.007885933 CET5022332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:47.015281916 CET3258350223198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:47.514108896 CET3258350223198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:47.515743017 CET5022332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:47.515832901 CET5022332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:47.520632982 CET3258350223198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:47.530529022 CET5022432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:47.535692930 CET3258350224198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:47.539814949 CET5022432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:47.543185949 CET5022432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:47.548034906 CET3258350224198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:48.071901083 CET3258350224198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:48.072010040 CET5022432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:48.072089911 CET5022432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:48.077306032 CET5022532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:48.078974962 CET3258350224198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:48.084023952 CET3258350225198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:48.084104061 CET5022532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:48.087522984 CET5022532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:48.095053911 CET3258350225198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:48.594495058 CET3258350225198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:48.594554901 CET5022532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:48.594660997 CET5022532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:48.599580050 CET3258350225198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:48.608874083 CET5022632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:48.613702059 CET3258350226198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:48.613769054 CET5022632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:48.618681908 CET5022632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:48.623512030 CET3258350226198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:49.121475935 CET3258350226198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:49.121767998 CET5022632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:49.123209000 CET5022632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:49.124227047 CET5022732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:49.128082991 CET3258350226198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:49.129153967 CET3258350227198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:49.129297972 CET5022732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:49.132746935 CET5022732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:49.137840986 CET3258350227198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:49.637873888 CET3258350227198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:49.639822960 CET5022732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:49.640481949 CET5022732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:49.645277023 CET3258350227198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:49.655509949 CET5022832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:49.660471916 CET3258350228198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:49.663755894 CET5022832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:49.667207956 CET5022832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:49.672096968 CET3258350228198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:50.166207075 CET3258350228198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:50.167793989 CET5022832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:50.167895079 CET5022832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:50.168492079 CET5022932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:50.172671080 CET3258350228198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:50.173342943 CET3258350229198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:50.173479080 CET5022932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:50.176938057 CET5022932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:50.181690931 CET3258350229198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:50.679732084 CET3258350229198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:50.679800034 CET5022932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:50.679908991 CET5022932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:50.680569887 CET5023032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:50.684730053 CET3258350229198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:50.685359001 CET3258350230198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:50.685431004 CET5023032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:50.691828966 CET5023032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:50.696644068 CET3258350230198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:51.211112976 CET3258350230198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:51.211185932 CET5023032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:51.211219072 CET5023032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:51.211757898 CET5023132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:51.216075897 CET3258350230198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:51.216562033 CET3258350231198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:51.216629982 CET5023132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:51.221064091 CET5023132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:51.225836039 CET3258350231198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:51.732729912 CET3258350231198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:51.733439922 CET5023132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:51.733572006 CET5023132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:51.734124899 CET5023232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:51.738359928 CET3258350231198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:51.738918066 CET3258350232198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:51.739006996 CET5023232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:51.742527962 CET5023232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:51.747389078 CET3258350232198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:52.252732038 CET3258350232198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:52.252814054 CET5023232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:52.252871037 CET5023232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:52.253757954 CET5023332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:52.257694960 CET3258350232198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:52.258790970 CET3258350233198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:52.258858919 CET5023332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:52.264848948 CET5023332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:52.269690037 CET3258350233198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:52.788343906 CET3258350233198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:52.788428068 CET5023332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:52.788477898 CET5023332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:52.788984060 CET5023432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:52.793292046 CET3258350233198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:52.793754101 CET3258350234198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:52.793827057 CET5023432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:52.797472954 CET5023432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:52.802371979 CET3258350234198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:53.300971031 CET3258350234198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:53.303862095 CET5023432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:53.303900957 CET5023432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:53.304574013 CET5023532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:53.311438084 CET3258350234198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:53.311455965 CET3258350235198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:53.311556101 CET5023532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:53.315253019 CET5023532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:53.322271109 CET3258350235198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:53.837882996 CET3258350235198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:53.839257002 CET5023532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:53.839329958 CET5023532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:53.839883089 CET5023632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:53.844136000 CET3258350235198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:53.844729900 CET3258350236198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:53.844829082 CET5023632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:53.848377943 CET5023632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:53.853482008 CET3258350236198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:54.362159014 CET3258350236198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:54.362221956 CET5023632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:54.362286091 CET5023632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:54.362967014 CET5023732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:54.367060900 CET3258350236198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:54.367825031 CET3258350237198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:54.367908955 CET5023732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:54.372519970 CET5023732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:54.377572060 CET3258350237198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:54.907164097 CET3258350237198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:54.907233000 CET5023732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:54.907304049 CET5023732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:54.907802105 CET5023832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:54.912307978 CET3258350237198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:54.912636042 CET3258350238198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:54.912971020 CET5023832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:54.916450024 CET5023832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:54.921355009 CET3258350238198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:55.414032936 CET3258350238198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:55.417841911 CET5023832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:55.417885065 CET5023832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:55.418538094 CET5023932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:55.422794104 CET3258350238198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:55.423362970 CET3258350239198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:55.423439980 CET5023932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:55.426835060 CET5023932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:55.431751013 CET3258350239198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:55.948826075 CET3258350239198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:55.948932886 CET5023932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:55.949028969 CET5023932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:55.949853897 CET5024032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:55.955049992 CET3258350239198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:55.956162930 CET3258350240198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:55.956273079 CET5024032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:55.959966898 CET5024032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:55.966129065 CET3258350240198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:56.474751949 CET3258350240198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:56.475828886 CET5024032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:56.475922108 CET5024032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:56.476481915 CET5024132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:56.483880997 CET3258350240198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:56.484318972 CET3258350241198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:56.484416008 CET5024132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:56.487880945 CET5024132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:56.495168924 CET3258350241198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:56.991292000 CET3258350241198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:56.993855000 CET5024132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:56.993906975 CET5024132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:56.994496107 CET5024232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:56.999236107 CET3258350241198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:56.999306917 CET3258350242198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:56.999416113 CET5024232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:57.002933025 CET5024232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:57.008033991 CET3258350242198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:57.509282112 CET3258350242198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:57.509373903 CET5024232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:57.509392977 CET5024232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:57.509927988 CET5024332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:57.514508963 CET3258350242198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:57.514791012 CET3258350243198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:57.514870882 CET5024332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:57.518841982 CET5024332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:57.523739100 CET3258350243198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:58.023962021 CET3258350243198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:58.024192095 CET5024332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:58.024276018 CET5024332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:58.025975943 CET5024432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:58.029732943 CET3258350243198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:58.031506062 CET3258350244198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:58.031693935 CET5024432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:58.035340071 CET5024432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:58.040543079 CET3258350244198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:58.539706945 CET3258350244198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:58.541810989 CET5024432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:58.541872025 CET5024432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:58.542402983 CET5024532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:58.546889067 CET3258350244198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:58.547238111 CET3258350245198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:58.547372103 CET5024532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:58.551120996 CET5024532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:58.555963993 CET3258350245198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:59.053612947 CET3258350245198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:59.054882050 CET5024532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:59.054948092 CET5024532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:59.055562973 CET5024632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:59.059869051 CET3258350245198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:59.060347080 CET3258350246198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:59.060482025 CET5024632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:59.064071894 CET5024632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:59.068932056 CET3258350246198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:59.574923038 CET3258350246198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:59.574990988 CET5024632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:59.575136900 CET5024632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:59.575901985 CET5024732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:59.579976082 CET3258350246198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:59.580966949 CET3258350247198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:44:59.581049919 CET5024732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:59.586432934 CET5024732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:44:59.591236115 CET3258350247198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:00.087727070 CET3258350247198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:00.087888956 CET5024732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:00.088010073 CET5024732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:00.088618040 CET5024832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:00.094772100 CET3258350247198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:00.094811916 CET3258350248198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:00.094933033 CET5024832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:00.098511934 CET5024832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:00.103425026 CET3258350248198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:00.594455004 CET3258350248198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:00.594542027 CET5024832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:00.594599962 CET5024832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:00.595110893 CET5024932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:00.599539995 CET3258350248198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:00.600033045 CET3258350249198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:00.600107908 CET5024932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:00.603499889 CET5024932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:00.608437061 CET3258350249198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:01.115266085 CET3258350249198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:01.115375996 CET5024932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:01.115423918 CET5024932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:01.115977049 CET5025032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:01.120409012 CET3258350249198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:01.120929003 CET3258350250198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:01.121414900 CET5025032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:01.125106096 CET5025032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:01.131484032 CET3258350250198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:01.629781961 CET3258350250198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:01.629849911 CET5025032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:01.629970074 CET5025032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:01.631154060 CET5025132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:01.634779930 CET3258350250198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:01.635992050 CET3258350251198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:01.636063099 CET5025132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:01.642497063 CET5025132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:01.647501945 CET3258350251198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:02.165647030 CET3258350251198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:02.165776014 CET5025132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:02.165873051 CET5025132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:02.166541100 CET5025232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:02.170850992 CET3258350251198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:02.171787977 CET3258350252198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:02.171904087 CET5025232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:02.181025028 CET5025232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:02.187539101 CET3258350252198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:02.678805113 CET3258350252198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:02.681826115 CET5025232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:02.681874037 CET5025232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:02.682459116 CET5025332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:02.686650038 CET3258350252198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:02.687279940 CET3258350253198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:02.687385082 CET5025332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:02.690884113 CET5025332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:02.695698023 CET3258350253198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:03.201270103 CET3258350253198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:03.201396942 CET5025332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:03.201457977 CET5025332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:03.202058077 CET5025432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:03.206365108 CET3258350253198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:03.206854105 CET3258350254198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:03.206927061 CET5025432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:03.210688114 CET5025432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:03.215464115 CET3258350254198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:03.715771914 CET3258350254198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:03.716003895 CET5025432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:03.716048002 CET5025432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:03.716666937 CET5025532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:03.720902920 CET3258350254198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:03.721493959 CET3258350255198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:03.721570969 CET5025532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:03.725049019 CET5025532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:03.729974985 CET3258350255198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:04.229756117 CET3258350255198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:04.229865074 CET5025532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:04.229953051 CET5025532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:04.230521917 CET5025632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:04.234817028 CET3258350255198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:04.235307932 CET3258350256198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:04.235389948 CET5025632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:04.239176035 CET5025632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:04.244067907 CET3258350256198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:04.742002010 CET3258350256198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:04.742080927 CET5025632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:04.742122889 CET5025632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:04.742660046 CET5025732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:04.746956110 CET3258350256198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:04.747524023 CET3258350257198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:04.747629881 CET5025732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:04.751522064 CET5025732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:04.756441116 CET3258350257198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:05.280466080 CET3258350257198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:05.280535936 CET5025732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:05.280627966 CET5025732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:05.281491995 CET5025832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:05.287878990 CET3258350257198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:05.288489103 CET3258350258198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:05.288573027 CET5025832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:05.294001102 CET5025832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:05.300575972 CET3258350258198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:05.797933102 CET3258350258198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:05.799768925 CET5025832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:05.799830914 CET5025832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:05.800369024 CET5025932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:05.804871082 CET3258350258198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:05.805212975 CET3258350259198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:05.805322886 CET5025932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:05.809124947 CET5025932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:05.813971996 CET3258350259198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:06.311732054 CET3258350259198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:06.311996937 CET5025932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:06.311996937 CET5025932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:06.312654018 CET5026032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:06.317029953 CET3258350259198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:06.317519903 CET3258350260198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:06.317593098 CET5026032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:06.321028948 CET5026032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:06.325917959 CET3258350260198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:06.818304062 CET3258350260198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:06.818373919 CET5026032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:06.818470001 CET5026032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:06.819211006 CET5026132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:06.823426962 CET3258350260198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:06.824119091 CET3258350261198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:06.824193954 CET5026132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:06.829520941 CET5026132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:06.834873915 CET3258350261198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:07.331037045 CET3258350261198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:07.331836939 CET5026132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:07.331836939 CET5026132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:07.332597971 CET5026232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:07.336951971 CET3258350261198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:07.337495089 CET3258350262198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:07.337584019 CET5026232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:07.340967894 CET5026232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:07.345813036 CET3258350262198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:07.844119072 CET3258350262198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:07.844203949 CET5026232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:07.844274044 CET5026232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:07.844719887 CET5026332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:07.849102974 CET3258350262198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:07.849546909 CET3258350263198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:07.849809885 CET5026332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:07.853461981 CET5026332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:07.858299017 CET3258350263198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:08.364080906 CET3258350263198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:08.364207983 CET5026332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:08.364312887 CET5026332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:08.364849091 CET5026432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:08.369074106 CET3258350263198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:08.369679928 CET3258350264198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:08.369750977 CET5026432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:08.373191118 CET5026432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:08.378012896 CET3258350264198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:08.883446932 CET3258350264198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:08.883523941 CET5026432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:08.883577108 CET5026432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:08.884095907 CET5026532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:08.888427973 CET3258350264198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:08.888962984 CET3258350265198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:08.889066935 CET5026532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:08.892815113 CET5026532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:08.897624969 CET3258350265198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:09.395802975 CET3258350265198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:09.399848938 CET5026532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:09.399904013 CET5026532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:09.401037931 CET5026632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:09.404685974 CET3258350265198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:09.405982971 CET3258350266198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:09.406240940 CET5026632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:09.409735918 CET5026632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:09.414700031 CET3258350266198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:09.912224054 CET3258350266198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:09.915855885 CET5026632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:09.915925026 CET5026632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:09.916476965 CET5026732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:09.920909882 CET3258350266198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:09.921438932 CET3258350267198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:09.923831940 CET5026732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:09.929811001 CET5026732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:09.934716940 CET3258350267198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:10.431633949 CET3258350267198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:10.431710958 CET5026732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:10.431760073 CET5026732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:10.432553053 CET5026832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:10.436609030 CET3258350267198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:10.437570095 CET3258350268198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:10.437648058 CET5026832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:10.443584919 CET5026832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:10.448651075 CET3258350268198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:10.946557999 CET3258350268198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:10.946643114 CET5026832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:10.946682930 CET5026832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:10.947150946 CET5026932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:10.951527119 CET3258350268198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:10.951987028 CET3258350269198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:10.952059031 CET5026932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:10.955457926 CET5026932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:10.960278034 CET3258350269198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:11.459790945 CET3258350269198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:11.463975906 CET5026932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:11.463975906 CET5026932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:11.464523077 CET5027032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:11.469052076 CET3258350269198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:11.469408035 CET3258350270198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:11.471848011 CET5027032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:11.475368023 CET5027032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:11.480161905 CET3258350270198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:11.974294901 CET3258350270198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:11.975816011 CET5027032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:11.975883961 CET5027032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:11.976443052 CET5027132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:11.982584000 CET3258350270198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:11.983063936 CET3258350271198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:11.983829975 CET5027132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:11.987288952 CET5027132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:11.994091988 CET3258350271198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:12.490911961 CET3258350271198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:12.490978956 CET5027132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:12.491103888 CET5027132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:12.492027998 CET5027232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:12.497176886 CET3258350271198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:12.497245073 CET3258350272198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:12.497328043 CET5027232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:12.502696991 CET5027232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:12.507534027 CET3258350272198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:13.002984047 CET3258350272198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:13.003192902 CET5027232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.003267050 CET5027232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.003973007 CET5027332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.008121014 CET3258350272198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:13.008820057 CET3258350273198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:13.008903027 CET5027332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.012190104 CET5027332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.017544985 CET3258350273198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:13.786453009 CET3258350273198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:13.786673069 CET5027332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.786691904 CET3258350273198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:13.786747932 CET5027332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.786762953 CET5027332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.787250042 CET5027432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.791589975 CET3258350273198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:13.795129061 CET3258350274198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:13.795825958 CET5027432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.799379110 CET5027432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:13.804194927 CET3258350274198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:14.301490068 CET3258350274198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:14.301564932 CET5027432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:14.301801920 CET5027432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:14.306624889 CET3258350274198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:14.308031082 CET5027532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:14.312936068 CET3258350275198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:14.313028097 CET5027532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:14.318234921 CET5027532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:14.323081017 CET3258350275198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:14.826529026 CET3258350275198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:14.827836037 CET5027532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:14.827944994 CET5027532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:14.828445911 CET5027632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:14.832741976 CET3258350275198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:14.833220005 CET3258350276198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:14.833503962 CET5027632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:14.836931944 CET5027632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:14.841790915 CET3258350276198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:15.348212004 CET3258350276198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:15.348486900 CET5027632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:15.352902889 CET5027632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:15.353888035 CET5027732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:15.357686996 CET3258350276198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:15.358727932 CET3258350277198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:15.358804941 CET5027732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:15.362281084 CET5027732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:15.367130041 CET3258350277198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:15.859528065 CET3258350277198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:15.859586000 CET5027732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:15.859725952 CET5027732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:15.860445023 CET5027832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:15.864485025 CET3258350277198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:15.865257978 CET3258350278198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:15.865459919 CET5027832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:15.870898962 CET5027832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:15.875686884 CET3258350278198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:16.374303102 CET3258350278198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:16.375880957 CET5027832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:16.375910997 CET5027832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:16.376513004 CET5027932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:16.381136894 CET3258350278198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:16.381484032 CET3258350279198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:16.381633997 CET5027932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:16.387202024 CET5027932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:16.392050982 CET3258350279198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:16.888674021 CET3258350279198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:16.888904095 CET5027932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:16.888904095 CET5027932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:16.889442921 CET5028032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:16.894181967 CET3258350279198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:16.894336939 CET3258350280198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:16.894427061 CET5028032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:16.897895098 CET5028032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:16.902735949 CET3258350280198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:17.410435915 CET3258350280198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:17.410495043 CET5028032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:17.410532951 CET5028032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:17.411027908 CET5028132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:17.415343046 CET3258350280198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:17.415848970 CET3258350281198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:17.415920973 CET5028132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:17.420087099 CET5028132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:17.425064087 CET3258350281198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:17.914957047 CET3258350281198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:17.915096998 CET5028132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:17.915148020 CET5028132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:17.915713072 CET5028232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:17.919955015 CET3258350281198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:17.921140909 CET3258350282198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:17.921242952 CET5028232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:17.925106049 CET5028232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:17.929954052 CET3258350282198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:18.435026884 CET3258350282198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:18.437983990 CET5028232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:18.438044071 CET5028232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:18.438610077 CET5028332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:18.442854881 CET3258350282198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:18.443413973 CET3258350283198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:18.443561077 CET5028332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:18.450371981 CET5028332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:18.455418110 CET3258350283198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:18.950009108 CET3258350283198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:18.953915119 CET5028332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:18.953975916 CET5028332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:18.954482079 CET5028432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:18.958869934 CET3258350283198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:18.959476948 CET3258350284198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:18.959610939 CET5028432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:18.963051081 CET5028432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:18.967861891 CET3258350284198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:19.467226028 CET3258350284198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:19.467324018 CET5028432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:19.467407942 CET5028432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:19.468682051 CET5028532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:19.472383976 CET3258350284198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:19.473766088 CET3258350285198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:19.473833084 CET5028532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:19.479831934 CET5028532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:19.484905005 CET3258350285198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:20.007174015 CET3258350285198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:20.007344007 CET5028532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:20.007436037 CET5028532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:20.008039951 CET5028632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:20.012357950 CET3258350285198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:20.012940884 CET3258350286198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:20.013036013 CET5028632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:20.016674995 CET5028632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:20.021610022 CET3258350286198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:21.377367973 CET3258350286198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:21.377455950 CET3258350286198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:21.377464056 CET5028632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.377501011 CET5028632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.377588034 CET5028632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.377619028 CET3258350286198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:21.377655983 CET5028632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.378367901 CET5028732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.382461071 CET3258350286198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:21.383189917 CET3258350287198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:21.383261919 CET5028732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.388113976 CET5028732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.392981052 CET3258350287198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:21.883877039 CET3258350287198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:21.887830973 CET5028732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.887895107 CET5028732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.888495922 CET5028832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.892724991 CET3258350287198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:21.893395901 CET3258350288198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:21.893596888 CET5028832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.897241116 CET5028832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:21.902123928 CET3258350288198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:22.404330969 CET3258350288198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:22.404412031 CET5028832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:22.404450893 CET5028832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:22.404966116 CET5028932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:22.410111904 CET3258350288198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:22.410665989 CET3258350289198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:22.410780907 CET5028932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:22.414210081 CET5028932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:22.419924021 CET3258350289198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:22.920121908 CET3258350289198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:22.923954964 CET5028932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:22.924068928 CET5028932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:22.924633026 CET5029032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:22.928875923 CET3258350289198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:22.929452896 CET3258350290198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:22.929548979 CET5029032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:22.932992935 CET5029032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:22.937824965 CET3258350290198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:23.436821938 CET3258350290198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:23.436882973 CET5029032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:23.437175989 CET5029032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:23.438174963 CET5029132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:23.441906929 CET3258350290198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:23.443000078 CET3258350291198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:23.443082094 CET5029132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:23.448472977 CET5029132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:23.453409910 CET3258350291198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:23.952222109 CET3258350291198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:23.952399969 CET5029132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:23.952502966 CET5029132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:23.953214884 CET5029232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:23.959469080 CET3258350291198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:23.959484100 CET3258350292198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:23.959580898 CET5029232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:23.965709925 CET5029232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:23.970984936 CET3258350292198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:24.460926056 CET3258350292198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:24.461844921 CET5029232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:24.461939096 CET5029232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:24.462538004 CET5029332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:24.466779947 CET3258350292198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:24.467320919 CET3258350293198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:24.467411041 CET5029332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:24.473731995 CET5029332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:24.478646040 CET3258350293198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:24.976883888 CET3258350293198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:24.979885101 CET5029332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:24.984474897 CET5029332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:24.985233068 CET5029432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:24.989522934 CET3258350293198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:24.990129948 CET3258350294198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:24.990279913 CET5029432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:24.993809938 CET5029432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:24.998939991 CET3258350294198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:25.503707886 CET3258350294198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:25.503787994 CET5029432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:25.503933907 CET5029432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:25.504514933 CET5029532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:25.508790016 CET3258350294198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:25.509397030 CET3258350295198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:25.509479046 CET5029532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:25.514727116 CET5029532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:25.519675970 CET3258350295198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:26.017658949 CET3258350295198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:26.017864943 CET5029532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:26.018501997 CET5029532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:26.019176006 CET5029632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:26.023310900 CET3258350295198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:26.024014950 CET3258350296198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:26.024101973 CET5029632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:26.027563095 CET5029632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:26.032552004 CET3258350296198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:26.538395882 CET3258350296198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:26.543868065 CET5029632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:26.543926954 CET5029632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:26.544527054 CET5029732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:26.548810959 CET3258350296198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:26.549387932 CET3258350297198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:26.549504042 CET5029732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:26.553009987 CET5029732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:26.557802916 CET3258350297198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:27.058100939 CET3258350297198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:27.059833050 CET5029732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:27.059891939 CET5029732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:27.060389042 CET5029832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:27.064754963 CET3258350297198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:27.065263033 CET3258350298198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:27.065362930 CET5029832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:27.068820000 CET5029832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:27.073699951 CET3258350298198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:27.572932959 CET3258350298198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:27.573024988 CET5029832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:27.573076010 CET5029832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:27.573625088 CET5029932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:27.577877045 CET3258350298198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:27.578489065 CET3258350299198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:27.578562975 CET5029932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:27.581959963 CET5029932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:27.586827040 CET3258350299198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:28.085895061 CET3258350299198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:28.086163044 CET5029932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:28.086229086 CET5029932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:28.086750031 CET5030032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:28.091171980 CET3258350299198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:28.091732025 CET3258350300198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:28.091828108 CET5030032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:28.095352888 CET5030032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:28.100342035 CET3258350300198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:28.612646103 CET3258350300198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:28.615834951 CET5030032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:28.615875006 CET5030032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:28.616446018 CET5030132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:28.620917082 CET3258350300198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:28.621464014 CET3258350301198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:28.621566057 CET5030132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:28.625422001 CET5030132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:28.630354881 CET3258350301198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:29.137434959 CET3258350301198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:29.137506008 CET5030132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:29.137603998 CET5030132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:29.138465881 CET5030232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:29.142481089 CET3258350301198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:29.143321037 CET3258350302198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:29.143393993 CET5030232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:29.150326014 CET5030232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:29.155210018 CET3258350302198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:29.649992943 CET3258350302198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:29.650090933 CET5030232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:29.650327921 CET5030232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:29.651304960 CET5030332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:29.655189037 CET3258350302198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:29.656227112 CET3258350303198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:29.656325102 CET5030332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:29.660729885 CET5030332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:29.665657043 CET3258350303198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:30.175324917 CET3258350303198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:30.175417900 CET5030332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:30.175447941 CET5030332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:30.176016092 CET5030432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:30.180387974 CET3258350303198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:30.180952072 CET3258350304198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:30.182691097 CET5030432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:30.186172009 CET5030432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:30.191085100 CET3258350304198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:30.696485996 CET3258350304198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:30.697870016 CET5030432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:30.698043108 CET5030432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:30.698575974 CET5030532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:30.702878952 CET3258350304198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:30.703552961 CET3258350305198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:30.703876019 CET5030532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:30.707257986 CET5030532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:30.712249994 CET3258350305198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:31.202979088 CET3258350305198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:31.203865051 CET5030532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:31.203970909 CET5030532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:31.204519987 CET5030632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:31.208719969 CET3258350305198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:31.209388971 CET3258350306198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:31.209475994 CET5030632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:31.213011980 CET5030632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:31.217951059 CET3258350306198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:31.728116989 CET3258350306198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:31.728246927 CET5030632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:31.728296041 CET5030632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:31.728838921 CET5030732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:31.733180046 CET3258350306198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:31.733665943 CET3258350307198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:31.733728886 CET5030732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:31.737147093 CET5030732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:31.741959095 CET3258350307198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:32.250209093 CET3258350307198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:32.250288010 CET5030732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:32.251645088 CET5030732583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:32.256407976 CET3258350307198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:32.259362936 CET5030832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:32.264260054 CET3258350308198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:32.264341116 CET5030832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:32.312109947 CET5030832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:32.317055941 CET3258350308198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:33.339678049 CET3258350308198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:33.339742899 CET3258350308198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:33.339870930 CET5030832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:33.339916945 CET3258350308198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:33.339945078 CET5030832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:33.339988947 CET5030832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:33.340193987 CET5030832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:33.341448069 CET5030932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:33.655035973 CET5030832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:33.722621918 CET3258350308198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:33.722691059 CET5030832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:33.723170042 CET3258350308198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:33.723191023 CET3258350309198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:33.723200083 CET3258350308198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:33.723289967 CET5030832583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:33.723357916 CET5030932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:33.729568005 CET5030932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:33.734409094 CET3258350309198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:34.231465101 CET3258350309198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:34.231604099 CET5030932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:34.231642962 CET5030932583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:34.232207060 CET5031032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:34.236494064 CET3258350309198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:34.237036943 CET3258350310198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:34.237117052 CET5031032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:34.240381002 CET5031032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:34.245259047 CET3258350310198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:34.769053936 CET3258350310198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:34.771887064 CET5031032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:34.967097044 CET5031032583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:34.972104073 CET3258350310198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:35.042180061 CET5031132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:35.047195911 CET3258350311198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:35.047869921 CET5031132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:35.398468971 CET5031132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:35.403430939 CET3258350311198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:35.555294991 CET3258350311198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:35.555421114 CET5031132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:35.555479050 CET5031132583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:35.561641932 CET3258350311198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:35.562932014 CET5031232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:35.567755938 CET3258350312198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:35.567831039 CET5031232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:35.571322918 CET5031232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:35.576193094 CET3258350312198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:36.081070900 CET3258350312198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:36.081212997 CET5031232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:36.081268072 CET5031232583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:36.081882954 CET5031332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:36.086148977 CET3258350312198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:36.086714029 CET3258350313198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:36.086791992 CET5031332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:36.090317965 CET5031332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:36.095268965 CET3258350313198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:36.603655100 CET3258350313198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:36.604027987 CET5031332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:36.604165077 CET5031332583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:36.605364084 CET5031432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:36.609036922 CET3258350313198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:36.610491991 CET3258350314198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:36.610656023 CET5031432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:36.622212887 CET5031432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:36.627145052 CET3258350314198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:37.129659891 CET3258350314198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:37.129806042 CET5031432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:37.129827023 CET5031432583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:37.130567074 CET5031532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:37.134711027 CET3258350314198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:37.135417938 CET3258350315198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:37.135529995 CET5031532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:37.139580011 CET5031532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:37.144440889 CET3258350315198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:37.642807007 CET3258350315198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:37.642879963 CET5031532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:37.642945051 CET5031532583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:37.643413067 CET5031632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:37.647770882 CET3258350315198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:37.648216963 CET3258350316198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:37.648288012 CET5031632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:37.651902914 CET5031632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:37.656781912 CET3258350316198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:38.154886961 CET3258350316198.23.227.212192.168.2.5
                                      Nov 5, 2024 12:45:38.155407906 CET5031632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:38.201478004 CET5031632583192.168.2.5198.23.227.212
                                      Nov 5, 2024 12:45:38.206443071 CET3258350316198.23.227.212192.168.2.5

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:06:41:30
                                      Start date:05/11/2024
                                      Path:C:\Users\user\Desktop\ZeaS4nUxg4.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\ZeaS4nUxg4.exe"
                                      Imagebase:0x400000
                                      File size:493'056 bytes
                                      MD5 hash:D457D91B513AC2E3A4B539C28537DA71
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2034956271.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2037907768.000000000061E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.2035507502.000000000063D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:06:41:31
                                      Start date:05/11/2024
                                      Path:C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                                      Imagebase:0x400000
                                      File size:493'056 bytes
                                      MD5 hash:D457D91B513AC2E3A4B539C28537DA71
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4497070505.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000000.2037328463.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.4496904562.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: unknown
                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 55%, ReversingLabs
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:3
                                      Start time:06:41:44
                                      Start date:05/11/2024
                                      Path:C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                                      Imagebase:0x400000
                                      File size:493'056 bytes
                                      MD5 hash:D457D91B513AC2E3A4B539C28537DA71
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2168302715.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2168449413.0000000000628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000000.2166573056.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:06:41:52
                                      Start date:05/11/2024
                                      Path:C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                                      Imagebase:0x400000
                                      File size:493'056 bytes
                                      MD5 hash:D457D91B513AC2E3A4B539C28537DA71
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000000.2248506041.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2249150628.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.2248999881.0000000000457000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:1.8%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:33.1%
                                        Total number of Nodes:671
                                        Total number of Limit Nodes:21
                                        execution_graph 46312 43a998 46315 43a9a4 _swprintf CallCatchBlock 46312->46315 46313 43a9b2 46328 445354 20 API calls __dosmaperr 46313->46328 46315->46313 46316 43a9dc 46315->46316 46323 444acc RtlEnterCriticalSection 46316->46323 46318 43a9b7 __fread_nolock 46319 43a9e7 46324 43aa88 46319->46324 46323->46319 46326 43aa96 46324->46326 46325 43a9f2 46329 43aa0f RtlLeaveCriticalSection std::_Lockit::~_Lockit 46325->46329 46326->46325 46330 448416 36 API calls 2 library calls 46326->46330 46328->46318 46329->46318 46330->46326 46331 402bcc 46332 402bd7 46331->46332 46333 402bdf 46331->46333 46349 403315 28 API calls __Getctype 46332->46349 46335 402beb 46333->46335 46339 4015d3 46333->46339 46336 402bdd 46341 43360d 46339->46341 46342 402be9 46341->46342 46345 43362e std::_Facet_Register 46341->46345 46350 43a88c 46341->46350 46357 442200 7 API calls 2 library calls 46341->46357 46344 433dec std::_Facet_Register 46359 437bd7 RaiseException 46344->46359 46345->46344 46358 437bd7 RaiseException 46345->46358 46348 433e09 46349->46336 46355 446aff _strftime 46350->46355 46351 446b3d 46361 445354 20 API calls __dosmaperr 46351->46361 46353 446b28 RtlAllocateHeap 46354 446b3b 46353->46354 46353->46355 46354->46341 46355->46351 46355->46353 46360 442200 7 API calls 2 library calls 46355->46360 46357->46341 46358->46344 46359->46348 46360->46355 46361->46354 46362 4339be 46363 4339ca CallCatchBlock 46362->46363 46394 4336b3 46363->46394 46365 4339d1 46366 433b24 46365->46366 46369 4339fb 46365->46369 46685 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46366->46685 46368 433b2b 46686 4426be 28 API calls _abort 46368->46686 46381 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46369->46381 46679 4434d1 5 API calls ___crtLCMapStringA 46369->46679 46371 433b31 46687 442670 28 API calls _abort 46371->46687 46374 433b39 46375 433a14 46376 433a1a 46375->46376 46680 443475 5 API calls ___crtLCMapStringA 46375->46680 46378 433a9b 46405 433c5e 46378->46405 46381->46378 46681 43edf4 35 API calls 4 library calls 46381->46681 46388 433abd 46388->46368 46389 433ac1 46388->46389 46390 433aca 46389->46390 46683 442661 28 API calls _abort 46389->46683 46684 433842 13 API calls 2 library calls 46390->46684 46393 433ad2 46393->46376 46395 4336bc 46394->46395 46688 433e0a IsProcessorFeaturePresent 46395->46688 46397 4336c8 46689 4379ee 10 API calls 3 library calls 46397->46689 46399 4336cd 46400 4336d1 46399->46400 46690 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46399->46690 46400->46365 46402 4336da 46403 4336e8 46402->46403 46691 437a17 8 API calls 3 library calls 46402->46691 46403->46365 46692 436050 46405->46692 46407 433c71 GetStartupInfoW 46408 433aa1 46407->46408 46409 443422 46408->46409 46693 44ddc9 46409->46693 46411 44342b 46413 433aaa 46411->46413 46697 44e0d3 35 API calls 46411->46697 46414 40d767 46413->46414 46699 41bce3 LoadLibraryA GetProcAddress 46414->46699 46416 40d783 GetModuleFileNameW 46704 40e168 46416->46704 46418 40d79f 46719 401fbd 46418->46719 46421 401fbd 28 API calls 46422 40d7bd 46421->46422 46723 41afc3 46422->46723 46426 40d7cf 46748 401d8c 46426->46748 46428 40d7d8 46429 40d835 46428->46429 46430 40d7eb 46428->46430 46754 401d64 46429->46754 46941 40e986 111 API calls 46430->46941 46433 40d845 46436 401d64 22 API calls 46433->46436 46434 40d7fd 46435 401d64 22 API calls 46434->46435 46439 40d809 46435->46439 46437 40d864 46436->46437 46759 404cbf 46437->46759 46942 40e937 65 API calls 46439->46942 46440 40d873 46763 405ce6 46440->46763 46443 40d87f 46766 401eef 46443->46766 46444 40d824 46943 40e155 65 API calls 46444->46943 46447 40d88b 46770 401eea 46447->46770 46449 40d894 46451 401eea 11 API calls 46449->46451 46450 401eea 11 API calls 46452 40dc9f 46450->46452 46453 40d89d 46451->46453 46682 433c94 GetModuleHandleW 46452->46682 46454 401d64 22 API calls 46453->46454 46455 40d8a6 46454->46455 46774 401ebd 46455->46774 46457 40d8b1 46458 401d64 22 API calls 46457->46458 46459 40d8ca 46458->46459 46460 401d64 22 API calls 46459->46460 46462 40d8e5 46460->46462 46461 40d946 46463 401d64 22 API calls 46461->46463 46478 40e134 46461->46478 46462->46461 46944 4085b4 28 API calls 46462->46944 46469 40d95d 46463->46469 46465 40d912 46466 401eef 11 API calls 46465->46466 46467 40d91e 46466->46467 46470 401eea 11 API calls 46467->46470 46468 40d9a4 46778 40bed7 46468->46778 46469->46468 46475 4124b7 3 API calls 46469->46475 46472 40d927 46470->46472 46945 4124b7 RegOpenKeyExA 46472->46945 46473 40d9aa 46474 40d82d 46473->46474 46781 41a463 46473->46781 46474->46450 46480 40d988 46475->46480 46979 412902 30 API calls 46478->46979 46479 40d9c5 46481 40da18 46479->46481 46798 40697b 46479->46798 46480->46468 46948 412902 30 API calls 46480->46948 46483 401d64 22 API calls 46481->46483 46486 40da21 46483->46486 46495 40da32 46486->46495 46496 40da2d 46486->46496 46488 40e14a 46980 4112b5 64 API calls ___scrt_fastfail 46488->46980 46489 40d9e4 46949 40699d 30 API calls 46489->46949 46490 40d9ee 46494 401d64 22 API calls 46490->46494 46503 40d9f7 46494->46503 46500 401d64 22 API calls 46495->46500 46952 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46496->46952 46497 40d9e9 46950 4064d0 97 API calls 46497->46950 46501 40da3b 46500->46501 46802 41ae08 46501->46802 46503->46481 46506 40da13 46503->46506 46504 40da46 46806 401e18 46504->46806 46951 4064d0 97 API calls 46506->46951 46507 40da51 46810 401e13 46507->46810 46510 40da5a 46511 401d64 22 API calls 46510->46511 46512 40da63 46511->46512 46513 401d64 22 API calls 46512->46513 46514 40da7d 46513->46514 46515 401d64 22 API calls 46514->46515 46516 40da97 46515->46516 46517 401d64 22 API calls 46516->46517 46519 40dab0 46517->46519 46518 40db1d 46521 40db2c 46518->46521 46525 40dcaa ___scrt_fastfail 46518->46525 46519->46518 46520 401d64 22 API calls 46519->46520 46524 40dac5 _wcslen 46520->46524 46522 401d64 22 API calls 46521->46522 46527 40dbb1 46521->46527 46523 40db3e 46522->46523 46526 401d64 22 API calls 46523->46526 46524->46518 46528 401d64 22 API calls 46524->46528 46955 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46525->46955 46529 40db50 46526->46529 46550 40dbac ___scrt_fastfail 46527->46550 46530 40dae0 46528->46530 46532 401d64 22 API calls 46529->46532 46534 401d64 22 API calls 46530->46534 46533 40db62 46532->46533 46537 401d64 22 API calls 46533->46537 46535 40daf5 46534->46535 46814 40c89e 46535->46814 46536 40dcef 46538 401d64 22 API calls 46536->46538 46540 40db8b 46537->46540 46541 40dd16 46538->46541 46545 401d64 22 API calls 46540->46545 46956 401f66 46541->46956 46543 401e18 11 API calls 46544 40db14 46543->46544 46547 401e13 11 API calls 46544->46547 46548 40db9c 46545->46548 46547->46518 46871 40bc67 46548->46871 46549 40dd25 46960 4126d2 14 API calls 46549->46960 46550->46527 46953 4128a2 31 API calls 46550->46953 46554 40dd3b 46556 401d64 22 API calls 46554->46556 46555 40dc45 ctype 46558 401d64 22 API calls 46555->46558 46557 40dd47 46556->46557 46961 43a5e7 39 API calls _strftime 46557->46961 46561 40dc5c 46558->46561 46560 40dd54 46563 40dd81 46560->46563 46962 41beb0 87 API calls ___scrt_fastfail 46560->46962 46561->46536 46562 401d64 22 API calls 46561->46562 46564 40dc7e 46562->46564 46566 401f66 28 API calls 46563->46566 46567 41ae08 28 API calls 46564->46567 46569 40dd96 46566->46569 46570 40dc87 46567->46570 46568 40dd65 CreateThread 46568->46563 47142 41c96f 10 API calls 46568->47142 46571 401f66 28 API calls 46569->46571 46954 40e219 112 API calls 46570->46954 46573 40dda5 46571->46573 46963 41a686 79 API calls 46573->46963 46574 40dc8c 46574->46536 46576 40dc93 46574->46576 46576->46474 46577 40ddaa 46578 401d64 22 API calls 46577->46578 46579 40ddb6 46578->46579 46580 401d64 22 API calls 46579->46580 46581 40ddcb 46580->46581 46582 401d64 22 API calls 46581->46582 46583 40ddeb 46582->46583 46964 43a5e7 39 API calls _strftime 46583->46964 46585 40ddf8 46586 401d64 22 API calls 46585->46586 46587 40de03 46586->46587 46588 401d64 22 API calls 46587->46588 46589 40de14 46588->46589 46590 401d64 22 API calls 46589->46590 46591 40de29 46590->46591 46592 401d64 22 API calls 46591->46592 46593 40de3a 46592->46593 46594 40de41 StrToIntA 46593->46594 46965 409517 144 API calls _wcslen 46594->46965 46596 40de53 46597 401d64 22 API calls 46596->46597 46599 40de5c 46597->46599 46598 40dea1 46601 401d64 22 API calls 46598->46601 46599->46598 46966 43360d 22 API calls 3 library calls 46599->46966 46607 40deb1 46601->46607 46602 40de71 46603 401d64 22 API calls 46602->46603 46604 40de84 46603->46604 46605 40de8b CreateThread 46604->46605 46605->46598 47144 419128 109 API calls 2 library calls 46605->47144 46606 40def9 46608 401d64 22 API calls 46606->46608 46607->46606 46967 43360d 22 API calls 3 library calls 46607->46967 46614 40df02 46608->46614 46610 40dec6 46611 401d64 22 API calls 46610->46611 46612 40ded8 46611->46612 46617 40dedf CreateThread 46612->46617 46613 40df6c 46615 401d64 22 API calls 46613->46615 46614->46613 46616 401d64 22 API calls 46614->46616 46619 40df75 46615->46619 46618 40df1e 46616->46618 46617->46606 47143 419128 109 API calls 2 library calls 46617->47143 46621 401d64 22 API calls 46618->46621 46620 40dfba 46619->46620 46623 401d64 22 API calls 46619->46623 46971 41a7a2 30 API calls 46620->46971 46624 40df33 46621->46624 46626 40df8a 46623->46626 46968 40c854 32 API calls 46624->46968 46625 40dfc3 46627 401e18 11 API calls 46625->46627 46631 401d64 22 API calls 46626->46631 46628 40dfce 46627->46628 46630 401e13 11 API calls 46628->46630 46633 40dfd7 CreateThread 46630->46633 46634 40df9f 46631->46634 46632 40df46 46635 401e18 11 API calls 46632->46635 46639 40e004 46633->46639 46640 40dff8 CreateThread 46633->46640 47145 40e54f 82 API calls 46633->47145 46969 43a5e7 39 API calls _strftime 46634->46969 46636 40df52 46635->46636 46638 401e13 11 API calls 46636->46638 46643 40df5b CreateThread 46638->46643 46641 40e00d CreateThread 46639->46641 46644 40e019 46639->46644 46640->46639 47139 410f36 139 API calls 46640->47139 46641->46644 47140 411524 38 API calls ___scrt_fastfail 46641->47140 46643->46613 47141 40196b 49 API calls _strftime 46643->47141 46646 40e073 46644->46646 46648 401f66 28 API calls 46644->46648 46645 40dfac 46970 40b95c 7 API calls 46645->46970 46974 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 46646->46974 46649 40e046 46648->46649 46972 404c9e 28 API calls 46649->46972 46652 40e08b 46654 40e12a 46652->46654 46656 41ae08 28 API calls 46652->46656 46653 40e053 46655 401f66 28 API calls 46653->46655 46977 40cbac 27 API calls 46654->46977 46657 40e062 46655->46657 46659 40e0a4 46656->46659 46973 41a686 79 API calls 46657->46973 46975 412584 31 API calls 46659->46975 46661 40e12f 46978 413fd4 170 API calls _strftime 46661->46978 46663 40e067 46664 401eea 11 API calls 46663->46664 46664->46646 46666 40e0ba 46667 401e13 11 API calls 46666->46667 46670 40e0c5 46667->46670 46668 40e0ed DeleteFileW 46669 40e0f4 46668->46669 46668->46670 46672 41ae08 28 API calls 46669->46672 46670->46668 46670->46669 46671 40e0db Sleep 46670->46671 46671->46670 46673 40e104 46672->46673 46976 41297a RegOpenKeyExW RegDeleteValueW 46673->46976 46675 40e117 46676 401e13 11 API calls 46675->46676 46677 40e121 46676->46677 46678 401e13 11 API calls 46677->46678 46678->46654 46679->46375 46680->46381 46681->46378 46682->46388 46683->46390 46684->46393 46685->46368 46686->46371 46687->46374 46688->46397 46689->46399 46690->46402 46691->46400 46692->46407 46694 44dddb 46693->46694 46695 44ddd2 46693->46695 46694->46411 46698 44dcc8 48 API calls 3 library calls 46695->46698 46697->46411 46698->46694 46700 41bd22 LoadLibraryA GetProcAddress 46699->46700 46701 41bd12 GetModuleHandleA GetProcAddress 46699->46701 46702 41bd4b 32 API calls 46700->46702 46703 41bd3b LoadLibraryA GetProcAddress 46700->46703 46701->46700 46702->46416 46703->46702 46981 41a63f FindResourceA 46704->46981 46707 43a88c ___crtLCMapStringA 21 API calls 46708 40e192 ctype 46707->46708 46984 401f86 46708->46984 46711 401eef 11 API calls 46712 40e1b8 46711->46712 46713 401eea 11 API calls 46712->46713 46714 40e1c1 46713->46714 46715 43a88c ___crtLCMapStringA 21 API calls 46714->46715 46716 40e1d2 ctype 46715->46716 46988 406052 46716->46988 46718 40e205 46718->46418 46720 401fcc 46719->46720 46996 402501 46720->46996 46722 401fea 46722->46421 46732 41afd6 46723->46732 46724 401eea 11 API calls 46725 41b078 46724->46725 46727 401eea 11 API calls 46725->46727 46726 41b048 47003 403b60 28 API calls 46726->47003 46730 41b080 46727->46730 46733 401eea 11 API calls 46730->46733 46731 41b054 46734 401eef 11 API calls 46731->46734 46732->46726 46735 401eef 11 API calls 46732->46735 46739 401eea 11 API calls 46732->46739 46743 41b046 46732->46743 47001 403b60 28 API calls 46732->47001 47002 41bfa9 28 API calls 46732->47002 46736 40d7c6 46733->46736 46737 41b05d 46734->46737 46735->46732 46744 40e8bd 46736->46744 46738 401eea 11 API calls 46737->46738 46740 41b065 46738->46740 46739->46732 47004 41bfa9 28 API calls 46740->47004 46743->46724 46745 40e8ca 46744->46745 46747 40e8da 46745->46747 47005 40200a 11 API calls 46745->47005 46747->46426 46749 40200a 46748->46749 46753 40203a 46749->46753 47006 402654 11 API calls 46749->47006 46751 40202b 47007 4026ba 11 API calls _Deallocate 46751->47007 46753->46428 46755 401d6c 46754->46755 46756 401d74 46755->46756 47008 401fff 22 API calls 46755->47008 46756->46433 46760 404ccb 46759->46760 47009 402e78 46760->47009 46762 404cee 46762->46440 47018 404bc4 46763->47018 46765 405cf4 46765->46443 46767 401efe 46766->46767 46769 401f0a 46767->46769 47027 4021b9 11 API calls 46767->47027 46769->46447 46772 4021b9 46770->46772 46771 4021e8 46771->46449 46772->46771 47028 40262e 11 API calls _Deallocate 46772->47028 46776 401ec9 46774->46776 46775 401ee4 46775->46457 46776->46775 46777 402325 28 API calls 46776->46777 46777->46775 47029 401e8f 46778->47029 46780 40bee1 CreateMutexA GetLastError 46780->46473 47031 41b15b 46781->47031 46783 41a471 47035 412513 RegOpenKeyExA 46783->47035 46786 401eef 11 API calls 46787 41a49f 46786->46787 46788 401eea 11 API calls 46787->46788 46789 41a4a7 46788->46789 46790 41a4fa 46789->46790 46791 412513 31 API calls 46789->46791 46790->46479 46792 41a4cd 46791->46792 46793 41a4d8 StrToIntA 46792->46793 46794 41a4e6 46793->46794 46797 41a4ef 46793->46797 47040 41c102 22 API calls 46794->47040 46796 401eea 11 API calls 46796->46790 46797->46796 46799 40698f 46798->46799 46800 4124b7 3 API calls 46799->46800 46801 406996 46800->46801 46801->46489 46801->46490 46803 41ae1c 46802->46803 47041 40b027 46803->47041 46805 41ae24 46805->46504 46807 401e27 46806->46807 46809 401e33 46807->46809 47050 402121 11 API calls 46807->47050 46809->46507 46811 402121 46810->46811 46812 402150 46811->46812 47051 402718 11 API calls _Deallocate 46811->47051 46812->46510 46815 40c8ba 46814->46815 46816 40c8da 46815->46816 46817 40c90f 46815->46817 46838 40c8d0 46815->46838 47056 41a74b 29 API calls 46816->47056 46820 41b15b 2 API calls 46817->46820 46819 40ca03 GetLongPathNameW 47052 403b40 46819->47052 46823 40c914 46820->46823 46821 40c8e3 46824 401e18 11 API calls 46821->46824 46826 40c918 46823->46826 46827 40c96a 46823->46827 46829 40c8ed 46824->46829 46828 403b40 28 API calls 46826->46828 46831 403b40 28 API calls 46827->46831 46833 40c926 46828->46833 46835 401e13 11 API calls 46829->46835 46830 403b40 28 API calls 46834 40ca27 46830->46834 46832 40c978 46831->46832 46840 403b40 28 API calls 46832->46840 46841 403b40 28 API calls 46833->46841 47059 40cc37 28 API calls 46834->47059 46835->46838 46837 40ca3a 47060 402860 28 API calls 46837->47060 46838->46819 46843 40c98e 46840->46843 46844 40c93c 46841->46844 46842 40ca45 47061 402860 28 API calls 46842->47061 47058 402860 28 API calls 46843->47058 47057 402860 28 API calls 46844->47057 46848 40ca4f 46851 401e13 11 API calls 46848->46851 46849 40c999 46852 401e18 11 API calls 46849->46852 46850 40c947 46853 401e18 11 API calls 46850->46853 46854 40ca59 46851->46854 46855 40c9a4 46852->46855 46856 40c952 46853->46856 46857 401e13 11 API calls 46854->46857 46858 401e13 11 API calls 46855->46858 46859 401e13 11 API calls 46856->46859 46860 40ca62 46857->46860 46861 40c9ad 46858->46861 46862 40c95b 46859->46862 46863 401e13 11 API calls 46860->46863 46864 401e13 11 API calls 46861->46864 46865 401e13 11 API calls 46862->46865 46866 40ca6b 46863->46866 46864->46829 46865->46829 46867 401e13 11 API calls 46866->46867 46868 40ca74 46867->46868 46869 401e13 11 API calls 46868->46869 46870 40ca7d 46869->46870 46870->46543 46872 40bc7a _wcslen 46871->46872 46873 40bc84 46872->46873 46874 40bcce 46872->46874 46877 40bc8d CreateDirectoryW 46873->46877 46875 40c89e 32 API calls 46874->46875 46876 40bce0 46875->46876 46878 401e18 11 API calls 46876->46878 47063 40856b 46877->47063 46880 40bccc 46878->46880 46882 401e13 11 API calls 46880->46882 46881 40bca9 47097 4028cf 46881->47097 46888 40bcf7 46882->46888 46884 40bcb5 46885 401e18 11 API calls 46884->46885 46886 40bcc3 46885->46886 46887 401e13 11 API calls 46886->46887 46887->46880 46889 40bd10 46888->46889 46890 40bd2d 46888->46890 46892 40bb7b 31 API calls 46889->46892 46891 40bd36 CopyFileW 46890->46891 46893 40be07 46891->46893 46895 40bd48 _wcslen 46891->46895 46894 40bd21 46892->46894 47069 40bb7b 46893->47069 46894->46550 46895->46893 46897 40bd64 46895->46897 46898 40bdb7 46895->46898 46901 40c89e 32 API calls 46897->46901 46900 40c89e 32 API calls 46898->46900 46905 40bdbd 46900->46905 46906 40bd6a 46901->46906 46902 40be21 46907 40be2a SetFileAttributesW 46902->46907 46903 40be4d 46904 40be95 CloseHandle 46903->46904 46909 403b40 28 API calls 46903->46909 47095 401e07 46904->47095 46910 401e18 11 API calls 46905->46910 46911 401e18 11 API calls 46906->46911 46916 40be39 _wcslen 46907->46916 46914 40be63 46909->46914 46940 40bdb1 46910->46940 46912 40bd76 46911->46912 46915 401e13 11 API calls 46912->46915 46913 40beb1 ShellExecuteW 46917 40bec4 46913->46917 46918 40bece ExitProcess 46913->46918 46919 41ae08 28 API calls 46914->46919 46921 40bd7f 46915->46921 46916->46903 46927 40be4a SetFileAttributesW 46916->46927 46922 40bed7 CreateMutexA GetLastError 46917->46922 46923 40be76 46919->46923 46920 401e13 11 API calls 46924 40bdcf 46920->46924 46925 40856b 28 API calls 46921->46925 46922->46894 47100 412774 RegCreateKeyW 46923->47100 46928 40bddb CreateDirectoryW 46924->46928 46926 40bd93 46925->46926 46929 4028cf 28 API calls 46926->46929 46927->46903 46932 401e07 46928->46932 46933 40bd9f 46929->46933 46935 40bdeb CopyFileW 46932->46935 46936 401e18 11 API calls 46933->46936 46934 401e13 11 API calls 46934->46904 46935->46893 46937 40bdf8 46935->46937 46938 40bda8 46936->46938 46937->46894 46939 401e13 11 API calls 46938->46939 46939->46940 46940->46920 46941->46434 46942->46444 46944->46465 46946 4124e1 RegQueryValueExA RegCloseKey 46945->46946 46947 41250b 46945->46947 46946->46947 46947->46461 46948->46468 46949->46497 46950->46490 46951->46481 46952->46495 46953->46555 46954->46574 46955->46536 46957 401f6e 46956->46957 47134 402301 46957->47134 46960->46554 46961->46560 46962->46568 46963->46577 46964->46585 46965->46596 46966->46602 46967->46610 46968->46632 46969->46645 46970->46620 46971->46625 46972->46653 46973->46663 46974->46652 46975->46666 46976->46675 46977->46661 47138 419e89 105 API calls 46978->47138 46979->46488 46982 40e183 46981->46982 46983 41a65c LoadResource LockResource SizeofResource 46981->46983 46982->46707 46983->46982 46985 401f8e 46984->46985 46991 402325 46985->46991 46987 401fa4 46987->46711 46989 401f86 28 API calls 46988->46989 46990 406066 46989->46990 46990->46718 46992 40232f 46991->46992 46994 40233a 46992->46994 46995 40294a 28 API calls 46992->46995 46994->46987 46995->46994 46997 40250d 46996->46997 46999 40252b 46997->46999 47000 40261a 28 API calls 46997->47000 46999->46722 47000->46999 47001->46732 47002->46732 47003->46731 47004->46743 47005->46747 47006->46751 47007->46753 47010 402e85 47009->47010 47011 402ea9 47010->47011 47012 402e98 47010->47012 47014 402eae 47010->47014 47011->46762 47016 403445 28 API calls 47012->47016 47014->47011 47017 40225b 11 API calls 47014->47017 47016->47011 47017->47011 47019 404bd0 47018->47019 47022 40245c 47019->47022 47021 404be4 47021->46765 47023 402469 47022->47023 47025 402478 47023->47025 47026 402ad3 28 API calls 47023->47026 47025->47021 47026->47025 47027->46769 47028->46771 47030 401e94 47029->47030 47032 41b183 47031->47032 47033 41b168 GetCurrentProcess IsWow64Process 47031->47033 47032->46783 47033->47032 47034 41b17f 47033->47034 47034->46783 47036 412541 RegQueryValueExA RegCloseKey 47035->47036 47037 412569 47035->47037 47036->47037 47038 401f66 28 API calls 47037->47038 47039 41257e 47038->47039 47039->46786 47040->46797 47042 40b02f 47041->47042 47045 40b04b 47042->47045 47044 40b045 47044->46805 47046 40b055 47045->47046 47048 40b060 47046->47048 47049 40b138 28 API calls 47046->47049 47048->47044 47049->47048 47050->46809 47051->46812 47053 403b48 47052->47053 47062 403b7a 28 API calls 47053->47062 47055 403b5a 47055->46830 47056->46821 47057->46850 47058->46849 47059->46837 47060->46842 47061->46848 47062->47055 47064 408577 47063->47064 47106 402ca8 47064->47106 47068 4085a3 47068->46881 47070 40bba1 47069->47070 47071 40bbdd 47069->47071 47124 40b0dd 47070->47124 47072 40bc1e 47071->47072 47074 40b0dd 28 API calls 47071->47074 47075 40bc5f 47072->47075 47078 40b0dd 28 API calls 47072->47078 47077 40bbf4 47074->47077 47075->46902 47075->46903 47080 4028cf 28 API calls 47077->47080 47081 40bc35 47078->47081 47079 4028cf 28 API calls 47082 40bbbd 47079->47082 47083 40bbfe 47080->47083 47084 4028cf 28 API calls 47081->47084 47085 412774 14 API calls 47082->47085 47086 412774 14 API calls 47083->47086 47087 40bc3f 47084->47087 47088 40bbd1 47085->47088 47089 40bc12 47086->47089 47090 412774 14 API calls 47087->47090 47091 401e13 11 API calls 47088->47091 47093 401e13 11 API calls 47089->47093 47092 40bc53 47090->47092 47091->47071 47094 401e13 11 API calls 47092->47094 47093->47072 47094->47075 47096 401e0c 47095->47096 47130 402d8b 47097->47130 47099 4028dd 47099->46884 47101 4127c6 47100->47101 47102 412789 47100->47102 47103 401e13 11 API calls 47101->47103 47105 4127a2 RegSetValueExW RegCloseKey 47102->47105 47104 40be89 47103->47104 47104->46934 47105->47101 47107 402cb5 47106->47107 47108 402cc8 47107->47108 47110 402cd9 47107->47110 47111 402cde 47107->47111 47117 403374 28 API calls 47108->47117 47113 402de3 47110->47113 47111->47110 47118 402f21 11 API calls 47111->47118 47114 402daf 47113->47114 47119 4030f7 47114->47119 47116 402dcd 47116->47068 47117->47110 47118->47110 47120 403101 47119->47120 47122 403115 47120->47122 47123 4036c2 28 API calls 47120->47123 47122->47116 47123->47122 47125 40b0e9 47124->47125 47126 402ca8 28 API calls 47125->47126 47127 40b10c 47126->47127 47128 402de3 28 API calls 47127->47128 47129 40b11f 47128->47129 47129->47079 47131 402d97 47130->47131 47132 4030f7 28 API calls 47131->47132 47133 402dab 47132->47133 47133->47099 47135 40230d 47134->47135 47136 402325 28 API calls 47135->47136 47137 401f80 47136->47137 47137->46549 47146 411637 62 API calls 47139->47146

                                        Executed Functions

                                        Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$HandleLibraryLoadModule
                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                        • API String ID: 384173800-625181639
                                        • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                        • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                        • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                        • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                        Function 0040D767 Relevance: 88.3, APIs: 12, Strings: 38, Instructions: 799COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 89 40d9b5-40d9bc 79->89 90 40d9ae-40d9b0 79->90 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 94 40d9c0-40d9cc call 41a463 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 104 40d9d5-40d9d9 94->104 105 40d9ce-40d9d0 94->105 95->94 99->79 107 40da18-40da2b call 401d64 call 401e8f 104->107 108 40d9db call 40697b 104->108 105->104 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 190 40dad7-40db03 call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e 164->190 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->220 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dba7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 176 40dbc0-40dbe4 call 4022f8 call 4338c8 169->176 259 40dbac-40dbaf 170->259 197 40dbf3 176->197 198 40dbe6-40dbf1 call 436050 176->198 232 40db08-40db1d call 401e18 call 401e13 190->232 204 40dbf5-40dc6a call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 call 4338d1 call 401d64 call 40b125 197->204 198->204 204->220 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 204->274 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 232->163 259->176 277 40dd81 272->277 278 40dd7d-40dd7f 272->278 276 40dd60-40dd77 call 41beb0 CreateThread 273->276 274->220 292 40dc93 274->292 279 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 276->279 277->279 278->276 330 40dea1 279->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 353 40df6c-40df7f call 401d64 call 401e8f 343->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->354 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 387 40dfe0 366->387 388 40dfe3-40dff6 CreateThread 366->388 387->388 392 40e004-40e00b 388->392 393 40dff8-40e002 CreateThread 388->393 394 40e019-40e020 392->394 395 40e00d-40e017 CreateThread 392->395 393->392 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                        APIs
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ZeaS4nUxg4.exe,00000104), ref: 0040D790
                                          • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                        • String ID: 0+b$0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\ZeaS4nUxg4.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-I7G983$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$hxc$licence$license_code.txt
                                        • API String ID: 2830904901-2854253804
                                        • Opcode ID: 1484b2f7a7f91c3ee938c637a9a7dae7839d2338987acae383d1c6a0cb17adc1
                                        • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                        • Opcode Fuzzy Hash: 1484b2f7a7f91c3ee938c637a9a7dae7839d2338987acae383d1c6a0cb17adc1
                                        • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                        Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • _wcslen.LIBCMT ref: 0040BC75
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\ZeaS4nUxg4.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                        • _wcslen.LIBCMT ref: 0040BD54
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\ZeaS4nUxg4.exe,00000000,00000000), ref: 0040BDF2
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                        • _wcslen.LIBCMT ref: 0040BE34
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                        • ExitProcess.KERNEL32 ref: 0040BED0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                        • String ID: 0+b$6$C:\Users\user\Desktop\ZeaS4nUxg4.exe$del$hxc$open
                                        • API String ID: 1579085052-3635470953
                                        • Opcode ID: 1dfc8a95e9f2fa8f15eef755b153a8034996a407d8c67b2864cbd51f99b60f53
                                        • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                        • Opcode Fuzzy Hash: 1dfc8a95e9f2fa8f15eef755b153a8034996a407d8c67b2864cbd51f99b60f53
                                        • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                        Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LongNamePath
                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                        • API String ID: 82841172-425784914
                                        • Opcode ID: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                        • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                        • Opcode Fuzzy Hash: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                        • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                        Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                          • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                        • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseCurrentOpenQueryValueWow64
                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                        • API String ID: 782494840-2070987746
                                        • Opcode ID: c28e8bf06c7bd464c54825a7174b2fee0dd0f803164bd22ac966e04bdcbe38d4
                                        • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                        • Opcode Fuzzy Hash: c28e8bf06c7bd464c54825a7174b2fee0dd0f803164bd22ac966e04bdcbe38d4
                                        • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                        Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 652 412774-412787 RegCreateKeyW 653 4127c6 652->653 654 412789-4127c4 call 4022f8 call 401e07 RegSetValueExW RegCloseKey 652->654 656 4127c8-4127d4 call 401e13 653->656 654->656
                                        APIs
                                        • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                        • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,0+b,759237E0,?), ref: 004127AD
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,0+b,759237E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8
                                        Strings
                                        • 0+b, xrefs: 00412774
                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: 0+b$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                        • API String ID: 1818849710-2277313595
                                        • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                        • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                        • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                        • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                        Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 662 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                        • GetLastError.KERNEL32 ref: 0040BEF1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateErrorLastMutex
                                        • String ID: Rmc-I7G983
                                        • API String ID: 1925916568-3173645232
                                        • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                        • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                        • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                        • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                        Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 693 412513-41253f RegOpenKeyExA 694 412541-412567 RegQueryValueExA RegCloseKey 693->694 695 412572 693->695 694->695 696 412569-412570 694->696 697 412577-412583 call 401f66 695->697 696->697
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                        • RegCloseKey.KERNEL32(?), ref: 0041255F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                        • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                        • Opcode Fuzzy Hash: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                        • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                        Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 700 4124b7-4124df RegOpenKeyExA 701 4124e1-412509 RegQueryValueExA RegCloseKey 700->701 702 41250f-412512 700->702 701->702 703 41250b-41250e 701->703
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                        • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                        • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                        • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                        • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                        Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 704 43360d-433610 705 43361f-433622 call 43a88c 704->705 707 433627-43362a 705->707 708 433612-43361d call 442200 707->708 709 43362c-43362d 707->709 708->705 712 43362e-433632 708->712 713 433638-433dec call 433d58 call 437bd7 712->713 714 433ded-433e09 call 433d8b call 437bd7 712->714 713->714
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                          • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,1DC,?,00475B70,00473D54,00000000,?,?,?,?,00434431,?,0046D680,?), ref: 00437C37
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Exception@8Throw$ExceptionRaise
                                        • String ID:
                                        • API String ID: 3476068407-0
                                        • Opcode ID: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                        • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                        • Opcode Fuzzy Hash: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                        • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                        Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 724 446aff-446b0b 725 446b3d-446b48 call 445354 724->725 726 446b0d-446b0f 724->726 734 446b4a-446b4c 725->734 728 446b11-446b12 726->728 729 446b28-446b39 RtlAllocateHeap 726->729 728->729 730 446b14-446b1b call 4447c5 729->730 731 446b3b 729->731 730->725 736 446b1d-446b26 call 442200 730->736 731->734 736->725 736->729
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                        • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                        • Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                        • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF

                                        Non-executed Functions

                                        Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 00406F28
                                        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                        • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                          • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                          • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                          • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                          • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                          • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                          • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                          • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                          • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                        • DeleteFileA.KERNEL32(?), ref: 004078CC
                                          • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                          • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                          • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                        • Sleep.KERNEL32(000007D0), ref: 00407976
                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                          • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                        • API String ID: 2918587301-184849705
                                        • Opcode ID: fe774ec57ea4c9c98434e9a8a4b205946b127d152570ca2712e415059fb31443
                                        • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                        • Opcode Fuzzy Hash: fe774ec57ea4c9c98434e9a8a4b205946b127d152570ca2712e415059fb31443
                                        • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                        Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0040508E
                                          • Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                          • Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        • __Init_thread_footer.LIBCMT ref: 004050CB
                                        • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                        • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                          • Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                          • Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                        • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                        • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                        • CloseHandle.KERNEL32 ref: 004053CD
                                        • CloseHandle.KERNEL32 ref: 004053D5
                                        • CloseHandle.KERNEL32 ref: 004053E7
                                        • CloseHandle.KERNEL32 ref: 004053EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                        • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                        • API String ID: 3815868655-81343324
                                        • Opcode ID: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                        • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                        • Opcode Fuzzy Hash: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                        • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                        Function 00410F36 Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                          • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                        • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                          • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                          • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                        • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                        • String ID: 0+b$0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                        • API String ID: 65172268-3472238074
                                        • Opcode ID: d192d8a590ecce51a9812f84f69104631043a8cd194a5600cb3b3bff2e47a3d7
                                        • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                        • Opcode Fuzzy Hash: d192d8a590ecce51a9812f84f69104631043a8cd194a5600cb3b3bff2e47a3d7
                                        • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                        Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                        • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                        • FindClose.KERNEL32(00000000), ref: 0040B517
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                        • API String ID: 1164774033-3681987949
                                        • Opcode ID: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                        • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                        • Opcode Fuzzy Hash: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                        • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                        Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windownativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDefWindowProc_A.USER32(?,00000401,?,?), ref: 0041CAE9
                                        • GetCursorPos.USER32(?), ref: 0041CAF8
                                        • SetForegroundWindow.USER32(?), ref: 0041CB01
                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                        • Shell_NotifyIcon.SHELL32(00000002,00473B50), ref: 0041CB6C
                                        • ExitProcess.KERNEL32 ref: 0041CB74
                                        • CreatePopupMenu.USER32 ref: 0041CB7A
                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                        • String ID: Close
                                        • API String ID: 1665278180-3535843008
                                        • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                        • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                        • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                        • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                        Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                        • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                        • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                        • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$File$FirstNext
                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 3527384056-432212279
                                        • Opcode ID: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                        • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                        • Opcode Fuzzy Hash: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                        • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                        Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                          • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                        • String ID: 0+b$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                        • API String ID: 726551946-3586631306
                                        • Opcode ID: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                        • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                        • Opcode Fuzzy Hash: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                        • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                        Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 004159C7
                                        • EmptyClipboard.USER32 ref: 004159D5
                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                        • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                        • CloseClipboard.USER32 ref: 00415A5A
                                        • OpenClipboard.USER32 ref: 00415A61
                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                        • CloseClipboard.USER32 ref: 00415A89
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                        • String ID:
                                        • API String ID: 3520204547-0
                                        • Opcode ID: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                        • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                        • Opcode Fuzzy Hash: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                        • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                        Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0$1$2$3$4$5$6$7
                                        • API String ID: 0-3177665633
                                        • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                        • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                        • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                        • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                        Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 00409B3F
                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                        • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                        • GetKeyState.USER32(00000010), ref: 00409B5C
                                        • GetKeyboardState.USER32(?), ref: 00409B67
                                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                        • String ID: 8[G
                                        • API String ID: 1888522110-1691237782
                                        • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                        • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                        • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                        • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                        Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00406788
                                        • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Object_wcslen
                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                        • API String ID: 240030777-3166923314
                                        • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                        • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                        • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                        • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                        Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                        • GetLastError.KERNEL32 ref: 00419935
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                        • String ID:
                                        • API String ID: 3587775597-0
                                        • Opcode ID: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                        • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                        • Opcode Fuzzy Hash: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                        • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                        Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                        • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                        • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                        • String ID: <D$<D$<D
                                        • API String ID: 745075371-3495170934
                                        • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                        • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                        • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                        • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                        Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B529
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B536
                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B570
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B583
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                        • String ID:
                                        • API String ID: 2341273852-0
                                        • Opcode ID: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                        • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                        • Opcode Fuzzy Hash: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                        • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                        Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$CreateFirstNext
                                        • String ID: @CG$XCG$`HG$`HG$>G
                                        • API String ID: 341183262-3780268858
                                        • Opcode ID: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                        • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                        • Opcode Fuzzy Hash: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                        • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                        Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                        • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                        • GetLastError.KERNEL32 ref: 00409A1B
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                        • TranslateMessage.USER32(?), ref: 00409A7A
                                        • DispatchMessageA.USER32(?), ref: 00409A85
                                        Strings
                                        • Keylogger initialization failure: error , xrefs: 00409A32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                        • String ID: Keylogger initialization failure: error
                                        • API String ID: 3219506041-952744263
                                        • Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                        • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                        • Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                        • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                        Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                        • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                        • API String ID: 2127411465-314212984
                                        • Opcode ID: 4bfa0ab92cfe4c7e273a593f9c438f6144fcaff52e32c91ef8c2f101195a9e69
                                        • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                        • Opcode Fuzzy Hash: 4bfa0ab92cfe4c7e273a593f9c438f6144fcaff52e32c91ef8c2f101195a9e69
                                        • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                        Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                          • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                          • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                        • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                        • ExitProcess.KERNEL32 ref: 0040E672
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                        • String ID: 0+b$5.3.0 Pro$override$pth_unenc
                                        • API String ID: 2281282204-3271030116
                                        • Opcode ID: e7420bd81adcf7ecaeb63c441a7eb2a496d40f418d65372005f5d4e07d0bafb2
                                        • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                        • Opcode Fuzzy Hash: e7420bd81adcf7ecaeb63c441a7eb2a496d40f418d65372005f5d4e07d0bafb2
                                        • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                        Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                        • GetLastError.KERNEL32 ref: 0040B261
                                        Strings
                                        • UserProfile, xrefs: 0040B227
                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                        • [Chrome StoredLogins not found], xrefs: 0040B27B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                        • API String ID: 2018770650-1062637481
                                        • Opcode ID: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                        • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                        • Opcode Fuzzy Hash: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                        • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                        Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                        • GetLastError.KERNEL32 ref: 00416B02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3534403312-3733053543
                                        • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                        • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                        • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                        • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                        Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                        • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                        • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                        • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                        Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004089AE
                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                          • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                          • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                          • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                          • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                        • String ID:
                                        • API String ID: 4043647387-0
                                        • Opcode ID: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                        • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                        • Opcode Fuzzy Hash: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                        • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                        Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                        • String ID:
                                        • API String ID: 276877138-0
                                        • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                        • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                        • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                        • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                        Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                          • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                          • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                          • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                          • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                        • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                        • String ID: PowrProf.dll$SetSuspendState
                                        • API String ID: 1589313981-1420736420
                                        • Opcode ID: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                        • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                        • Opcode Fuzzy Hash: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                        • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                        Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                        • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                        • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                        • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                        • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                        Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                        • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                        • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                        • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID: SETTINGS
                                        • API String ID: 3473537107-594951305
                                        • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                        • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                        • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                        • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                        Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00407A91
                                        • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstH_prologNext
                                        • String ID:
                                        • API String ID: 1157919129-0
                                        • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                        • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                        • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                        • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                        Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                        • _free.LIBCMT ref: 00448067
                                          • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 00448233
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                        • String ID:
                                        • API String ID: 1286116820-0
                                        • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                        • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                        • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                        • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                        Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DownloadExecuteFileShell
                                        • String ID: C:\Users\user\Desktop\ZeaS4nUxg4.exe$open
                                        • API String ID: 2825088817-3128600924
                                        • Opcode ID: d856352b29c500f65ac61f264686a0ac45c8e93dcc938b66659ffa0f0ca1f413
                                        • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                        • Opcode Fuzzy Hash: d856352b29c500f65ac61f264686a0ac45c8e93dcc938b66659ffa0f0ca1f413
                                        • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                        Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$FirstNextsend
                                        • String ID: x@G$x@G
                                        • API String ID: 4113138495-3390264752
                                        • Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                        • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                        • Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                        • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                        Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                          • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                          • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                          • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateInfoParametersSystemValue
                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                        • API String ID: 4127273184-3576401099
                                        • Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                        • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                        • Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                        • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                        Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                        • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                        • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                        • String ID:
                                        • API String ID: 4212172061-0
                                        • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                        • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                        • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                        • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                        Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00408DAC
                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$FirstH_prologNext
                                        • String ID:
                                        • API String ID: 301083792-0
                                        • Opcode ID: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                        • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                        • Opcode Fuzzy Hash: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                        • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                        Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                        • String ID:
                                        • API String ID: 2829624132-0
                                        • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                        • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                        • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                        • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                        Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A755
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A75F
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A76C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                        • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                        • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                        • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                        Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$AcquireRandomRelease
                                        • String ID:
                                        • API String ID: 1815803762-0
                                        • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                        • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                        • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                        • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                        Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                        • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                        • ExitProcess.KERNEL32 ref: 0044258E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                        • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                        • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                        • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                        Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                        • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                        • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpenSuspend
                                        • String ID:
                                        • API String ID: 1999457699-0
                                        • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                        • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                        • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                        • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                        Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                        • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                        • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpenResume
                                        • String ID:
                                        • API String ID: 3614150671-0
                                        • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                        • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                        • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                        • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                        Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: .
                                        • API String ID: 0-248832578
                                        • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                        • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                        • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                        • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                        Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID: <D
                                        • API String ID: 1084509184-3866323178
                                        • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                        • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                        • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                        • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                        Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID: <D
                                        • API String ID: 1084509184-3866323178
                                        • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                        • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                        • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                        • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                        Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: GetLocaleInfoEx
                                        • API String ID: 2299586839-2904428671
                                        • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                        • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                        • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                        • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                        Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                        • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                        • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                        • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                        Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                        • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Name$ComputerUser
                                        • String ID:
                                        • API String ID: 4229901323-0
                                        • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                        • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                        • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                        • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                        Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                        • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                        • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                        • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                        Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                        • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                        • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                        • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                        Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                        • String ID:
                                        • API String ID: 1663032902-0
                                        • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                        • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                        • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                        • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                        Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale_abort_free
                                        • String ID:
                                        • API String ID: 2692324296-0
                                        • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                        • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                        • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                        • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                        Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00444ACC: RtlEnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                        • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                        • String ID:
                                        • API String ID: 1272433827-0
                                        • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                        • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                        • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                        • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                        Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID:
                                        • API String ID: 1084509184-0
                                        • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                        • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                        • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                        • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                        Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                        • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                        • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                        • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                        Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: recv
                                        • String ID:
                                        • API String ID: 1507349165-0
                                        • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                        • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                        • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                        • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                        Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                        • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                        • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                        • Instruction Fuzzy Hash:
                                        Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                        • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                        • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                        • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                        Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                        • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                        • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                        • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                        Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                        • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                        • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                        • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                        Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                        • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                        • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                        • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                        Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                        • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                        • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                        • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                        Function 004267CB Relevance: .4, Instructions: 437COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                        • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                        • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                        • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                        Function 00426254 Relevance: .4, Instructions: 377COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                        • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                        • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                        • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                        Function 00431377 Relevance: .4, Instructions: 371COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                        • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                        • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                        • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                        Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                        • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                        • Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                        • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                        Function 00436A8D Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                        Function 00436D48 Relevance: .2, Instructions: 244COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                        • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                        • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                        • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                        Function 004367C6 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                        Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                        • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                        • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                        • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                        Function 0043CE3B Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                        • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                        • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                        • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                        Function 0043651C Relevance: .2, Instructions: 232COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                        Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                        • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                        • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                        • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                        Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                        • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                        • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                        • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                        Function 00437150 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                        Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324memorywindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • 73A165D0.GDI32(DISPLAY,00000000,00000000,00000000,?,?,?,00000000), ref: 00417FB9
                                        • 73A14C40.GDI32(00000000,?,?,?,00000000), ref: 00417FC4
                                          • Part of subcall function 00418452: 73A3E620.USER32(?,000000FF,?), ref: 00418482
                                        • 73A14C00.GDI32(?,00000000,?,?,?,?,00000000), ref: 00418045
                                        • DeleteDC.GDI32(?), ref: 0041805D
                                        • DeleteDC.GDI32(00000000), ref: 00418060
                                        • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                        • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                        • GetCursorInfo.USER32(?), ref: 004180B5
                                        • GetIconInfo.USER32(?,?), ref: 004180CB
                                        • DeleteObject.GDI32(?), ref: 004180FA
                                        • DeleteObject.GDI32(?), ref: 00418107
                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                        • 73A14D40.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                        • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                        • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                        • DeleteDC.GDI32(?), ref: 0041827F
                                        • DeleteDC.GDI32(00000000), ref: 00418282
                                        • DeleteObject.GDI32(00000000), ref: 00418285
                                        • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                        • DeleteObject.GDI32(00000000), ref: 00418344
                                        • GlobalFree.KERNEL32(?), ref: 0041834B
                                        • DeleteDC.GDI32(?), ref: 0041835B
                                        • DeleteDC.GDI32(00000000), ref: 00418366
                                        • DeleteDC.GDI32(?), ref: 00418398
                                        • DeleteDC.GDI32(00000000), ref: 0041839B
                                        • DeleteObject.GDI32(?), ref: 004183A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Delete$Object$AllocGlobal$FreeIconInfoLocal$A165BitsCursorDrawE620SelectStretch
                                        • String ID: DISPLAY
                                        • API String ID: 2554600341-865373369
                                        • Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                        • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                        • Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                        • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                        Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                        • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                        • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                        • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                        • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                        • ResumeThread.KERNEL32(?), ref: 00417582
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                        • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                        • GetLastError.KERNEL32 ref: 004175C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                        • API String ID: 4188446516-3035715614
                                        • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                        • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                        • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                        • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                        Function 0040C28E Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 282registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                          • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                        • ExitProcess.KERNEL32 ref: 0040C63E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hxc$open$wend$while fso.FileExists("
                                        • API String ID: 1861856835-227340837
                                        • Opcode ID: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                        • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                        • Opcode Fuzzy Hash: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                        • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                        Function 0040BF04 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                        • ExitProcess.KERNEL32 ref: 0040C287
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: ")$.vbs$0+b$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hxc$open$pth_unenc$wend$while fso.FileExists("
                                        • API String ID: 3797177996-3745384796
                                        • Opcode ID: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                        • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                        • Opcode Fuzzy Hash: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                        • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                        Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                        • ExitProcess.KERNEL32 ref: 0041151D
                                          • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                          • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                          • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                        • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                          • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                        • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                        • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                          • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                          • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                          • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                        • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                        • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                          • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                        • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                        • API String ID: 4250697656-2665858469
                                        • Opcode ID: b68df8224523070e2f82cd34dc7b2adce00a37accb578c29d62ccc5e9000c55b
                                        • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                        • Opcode Fuzzy Hash: b68df8224523070e2f82cd34dc7b2adce00a37accb578c29d62ccc5e9000c55b
                                        • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                        Function 0041A1BB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                        • SetEvent.KERNEL32 ref: 0041A38A
                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                        • CloseHandle.KERNEL32 ref: 0041A3AB
                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                        • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                        • API String ID: 738084811-2745919808
                                        • Opcode ID: 67a24f6113aabf6128109dc61cf26ab2441941a35e225fe1c9d441213504bd5b
                                        • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                        • Opcode Fuzzy Hash: 67a24f6113aabf6128109dc61cf26ab2441941a35e225fe1c9d441213504bd5b
                                        • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                        Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                        • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                        • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                        • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Write$Create
                                        • String ID: RIFF$WAVE$data$fmt
                                        • API String ID: 1602526932-4212202414
                                        • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                        • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                        • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                        • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                        Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\ZeaS4nUxg4.exe,00000001,004068B2,C:\Users\user\Desktop\ZeaS4nUxg4.exe,00000003,004068DA,0+b,00406933), ref: 004064F4
                                        • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: C:\Users\user\Desktop\ZeaS4nUxg4.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                        • API String ID: 1646373207-1276798069
                                        • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                        • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                        • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                        • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                        Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                        • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                        • lstrlenW.KERNEL32(?), ref: 0041B207
                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                        • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                        • _wcslen.LIBCMT ref: 0041B2DB
                                        • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                        • GetLastError.KERNEL32 ref: 0041B313
                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                        • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                        • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                        • GetLastError.KERNEL32 ref: 0041B370
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                        • String ID: ?
                                        • API String ID: 3941738427-1684325040
                                        • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                        • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                        • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                        • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                        Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$EnvironmentVariable$_wcschr
                                        • String ID:
                                        • API String ID: 3899193279-0
                                        • Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                        • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                        • Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                        • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                        Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                        • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                        • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                        • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                        • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                        • Sleep.KERNEL32(00000064), ref: 00412060
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                        • String ID: /stext "$HDG$HDG$>G$>G
                                        • API String ID: 1223786279-3931108886
                                        • Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                        • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                        • Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                        • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                        Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$Info
                                        • String ID:
                                        • API String ID: 2509303402-0
                                        • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                        • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                        • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                        • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                        Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                        • __aulldiv.LIBCMT ref: 00407FE9
                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                        • CloseHandle.KERNEL32(00000000), ref: 00408200
                                        • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                        • CloseHandle.KERNEL32(00000000), ref: 00408256
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                        • API String ID: 1884690901-3066803209
                                        • Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                        • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                        • Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                        • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                        Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00001388), ref: 00409E62
                                          • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                          • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                          • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                          • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                        • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                        • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                        • API String ID: 3795512280-3163867910
                                        • Opcode ID: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                        • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                        • Opcode Fuzzy Hash: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                        • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                        Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                        • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                        • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                        • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                        • String ID: \ws2_32$\wship6$getaddrinfo
                                        • API String ID: 2490988753-3078833738
                                        • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                        • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                        • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                        • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                        Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 004500B1
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                        • _free.LIBCMT ref: 004500A6
                                          • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 004500C8
                                        • _free.LIBCMT ref: 004500DD
                                        • _free.LIBCMT ref: 004500E8
                                        • _free.LIBCMT ref: 0045010A
                                        • _free.LIBCMT ref: 0045011D
                                        • _free.LIBCMT ref: 0045012B
                                        • _free.LIBCMT ref: 00450136
                                        • _free.LIBCMT ref: 0045016E
                                        • _free.LIBCMT ref: 00450175
                                        • _free.LIBCMT ref: 00450192
                                        • _free.LIBCMT ref: 004501AA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                        • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                        • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                        • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                        Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0041912D
                                        • 73BA5D90.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                        • Sleep.KERNEL32(000003E8), ref: 0041926D
                                        • GetLocalTime.KERNEL32(?), ref: 0041927C
                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$CreateDirectoryH_prologLocalTime
                                        • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                        • API String ID: 3069631530-65789007
                                        • Opcode ID: 91d1b4f4dea65f3b826fcaa200c07d0103cb4320fd1aa60c718ca5279f5f8068
                                        • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                        • Opcode Fuzzy Hash: 91d1b4f4dea65f3b826fcaa200c07d0103cb4320fd1aa60c718ca5279f5f8068
                                        • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                        Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • connect.WS2_32(?,?,?), ref: 004042A5
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                        • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                        • API String ID: 994465650-2151626615
                                        • Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                        • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                        • Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                        • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                        Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                          • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                          • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                          • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                        • ExitProcess.KERNEL32 ref: 0040C832
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                        • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                        • API String ID: 1913171305-390638927
                                        • Opcode ID: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                        • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                        • Opcode Fuzzy Hash: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                        • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                        Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                        • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                        • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                        • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                        Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                        • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                        • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                        • closesocket.WS2_32(?), ref: 0040481F
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404856
                                        • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404867
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 0040486E
                                        • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404880
                                        • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404885
                                        • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040488A
                                        • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404895
                                        • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040489A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                        • String ID:
                                        • API String ID: 3658366068-0
                                        • Opcode ID: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                        • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                        • Opcode Fuzzy Hash: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                        • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                        Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                        • GetLastError.KERNEL32 ref: 00454A96
                                        • __dosmaperr.LIBCMT ref: 00454A9D
                                        • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                        • GetLastError.KERNEL32 ref: 00454AB3
                                        • __dosmaperr.LIBCMT ref: 00454ABC
                                        • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                        • CloseHandle.KERNEL32(?), ref: 00454C26
                                        • GetLastError.KERNEL32 ref: 00454C58
                                        • __dosmaperr.LIBCMT ref: 00454C5F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: H
                                        • API String ID: 4237864984-2852464175
                                        • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                        • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                        • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                        • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                        Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0040A456
                                        • Sleep.KERNEL32(000001F4), ref: 0040A461
                                        • GetForegroundWindow.USER32 ref: 0040A467
                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                        • Sleep.KERNEL32(000003E8), ref: 0040A574
                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                        • String ID: [${ User has been idle for $ minutes }$]
                                        • API String ID: 911427763-3954389425
                                        • Opcode ID: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                        • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                        • Opcode Fuzzy Hash: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                        • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                        Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 65535$udp
                                        • API String ID: 0-1267037602
                                        • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                        • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                        • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                        • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                        Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                        • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                        • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00416EF0
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                        • String ID: <$@$@FG$@FG$TUF$Temp
                                        • API String ID: 1107811701-4124992407
                                        • Opcode ID: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                        • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                        • Opcode Fuzzy Hash: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                        • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                        Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                        • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                        • __dosmaperr.LIBCMT ref: 004393CD
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                        • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                        • __dosmaperr.LIBCMT ref: 0043940A
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                        • __dosmaperr.LIBCMT ref: 0043945E
                                        • _free.LIBCMT ref: 0043946A
                                        • _free.LIBCMT ref: 00439471
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                        • String ID:
                                        • API String ID: 2441525078-0
                                        • Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                        • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                        • Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                        • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                        Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 00404E71
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                        • TranslateMessage.USER32(?), ref: 00404F30
                                        • DispatchMessageA.USER32(?), ref: 00404F3B
                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                        • API String ID: 2956720200-749203953
                                        • Opcode ID: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                        • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                        • Opcode Fuzzy Hash: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                        • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                        Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00474A28,00000000,?,00003000,00000004,00000000,00000001), ref: 00406647
                                        • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\ZeaS4nUxg4.exe), ref: 00406705
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CurrentProcess
                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir
                                        • API String ID: 2050909247-943210432
                                        • Opcode ID: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                        • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                        • Opcode Fuzzy Hash: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                        • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                        Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                        • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                        • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                        • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                        Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00446DDF
                                          • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 00446DEB
                                        • _free.LIBCMT ref: 00446DF6
                                        • _free.LIBCMT ref: 00446E01
                                        • _free.LIBCMT ref: 00446E0C
                                        • _free.LIBCMT ref: 00446E17
                                        • _free.LIBCMT ref: 00446E22
                                        • _free.LIBCMT ref: 00446E2D
                                        • _free.LIBCMT ref: 00446E38
                                        • _free.LIBCMT ref: 00446E46
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                        • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                        • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                        • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                        Function 0041B824 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                        • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                        Strings
                                        • DisplayName, xrefs: 0041B8D1
                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B83C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumOpen
                                        • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                        • API String ID: 1332880857-3614651759
                                        • Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                        • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                        • Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                        • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                        Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Eventinet_ntoa
                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                        • API String ID: 3578746661-4192532303
                                        • Opcode ID: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                        • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                        • Opcode Fuzzy Hash: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                        • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                        Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                        • Sleep.KERNEL32(00000064), ref: 00416688
                                        • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CreateDeleteExecuteShellSleep
                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                        • API String ID: 1462127192-2001430897
                                        • Opcode ID: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                        • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                        • Opcode Fuzzy Hash: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                        • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                        Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strftime.LIBCMT ref: 00401AD3
                                          • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                        • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                        • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                        • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                        • API String ID: 3809562944-3643129801
                                        • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                        • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                        • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                        • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                        Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                        • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                        • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                        • waveInStart.WINMM ref: 00401A81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                        • String ID: XCG$`=G$x=G
                                        • API String ID: 1356121797-903574159
                                        • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                        • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                        • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                        • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                        Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                          • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                          • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                          • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                        • lstrcpyn.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                        • Shell_NotifyIcon.SHELL32(00000000,00473B50), ref: 0041C9EF
                                        • TranslateMessage.USER32(?), ref: 0041C9FB
                                        • DispatchMessageA.USER32(?), ref: 0041CA05
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                        • String ID: Remcos
                                        • API String ID: 1970332568-165870891
                                        • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                        • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                        • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                        • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                        Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                        • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                        • Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                        • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                        Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                        • __alloca_probe_16.LIBCMT ref: 00452C91
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                        • __alloca_probe_16.LIBCMT ref: 00452D3B
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                        • __freea.LIBCMT ref: 00452DAA
                                        • __freea.LIBCMT ref: 00452DB6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                        • String ID:
                                        • API String ID: 201697637-0
                                        • Opcode ID: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                        • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                        • Opcode Fuzzy Hash: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                        • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                        Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • _memcmp.LIBVCRUNTIME ref: 004446A3
                                        • _free.LIBCMT ref: 00444714
                                        • _free.LIBCMT ref: 0044472D
                                        • _free.LIBCMT ref: 0044475F
                                        • _free.LIBCMT ref: 00444768
                                        • _free.LIBCMT ref: 00444774
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorLast$_abort_memcmp
                                        • String ID: C
                                        • API String ID: 1679612858-1037565863
                                        • Opcode ID: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                        • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                        • Opcode Fuzzy Hash: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                        • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                        Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: tcp$udp
                                        • API String ID: 0-3725065008
                                        • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                        • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                        • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                        • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                        Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 004017BC
                                          • Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                          • Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                        • RtlExitUserThread.KERNEL32(00000000), ref: 004017F4
                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                          • Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                          • Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                                        • String ID: T=G$p[G$>G$>G
                                        • API String ID: 2307665288-2461731529
                                        • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                        • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                        • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                        • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                        Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                          • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                          • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumInfoOpenQuerysend
                                        • String ID: TUF$TUFTUF$>G$DG$DG
                                        • API String ID: 3114080316-72097156
                                        • Opcode ID: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                        • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                        • Opcode Fuzzy Hash: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                        • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                        Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                          • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                          • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                        • String ID: .part
                                        • API String ID: 1303771098-3499674018
                                        • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                        • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                        • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                        • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                        Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                          • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                          • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                          • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                        • _wcslen.LIBCMT ref: 0041A8F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                        • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                        • API String ID: 3286818993-703403762
                                        • Opcode ID: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                        • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                        • Opcode Fuzzy Hash: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                        • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                        Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                        • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                        • API String ID: 1133728706-1738023494
                                        • Opcode ID: f18917443f7c6820299f50b24860e0ced39b7309a667dc30009aa6e24bb425c3
                                        • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                        • Opcode Fuzzy Hash: f18917443f7c6820299f50b24860e0ced39b7309a667dc30009aa6e24bb425c3
                                        • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                        Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                        • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                        • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$Window$AllocOutputShow
                                        • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                        • API String ID: 4067487056-2527699604
                                        • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                        • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                        • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                        • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                        Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                        • __alloca_probe_16.LIBCMT ref: 004499E2
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                        • __alloca_probe_16.LIBCMT ref: 00449AC7
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                        • __freea.LIBCMT ref: 00449B37
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                        • __freea.LIBCMT ref: 00449B40
                                        • __freea.LIBCMT ref: 00449B65
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                        • String ID:
                                        • API String ID: 3864826663-0
                                        • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                        • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                        • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                        • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                        Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32 ref: 00418B08
                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                          • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InputSend$Virtual
                                        • String ID:
                                        • API String ID: 1167301434-0
                                        • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                        • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                        • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                        • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                        Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 00415A46
                                        • EmptyClipboard.USER32 ref: 00415A54
                                        • CloseClipboard.USER32 ref: 00415A5A
                                        • OpenClipboard.USER32 ref: 00415A61
                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                        • CloseClipboard.USER32 ref: 00415A89
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                        • String ID:
                                        • API String ID: 2172192267-0
                                        • Opcode ID: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                        • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                        • Opcode Fuzzy Hash: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                        • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                        Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00447EBC
                                        • _free.LIBCMT ref: 00447EE0
                                        • _free.LIBCMT ref: 00448067
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                        • _free.LIBCMT ref: 00448233
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                        • String ID:
                                        • API String ID: 314583886-0
                                        • Opcode ID: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                        • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                        • Opcode Fuzzy Hash: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                        • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                        Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                        • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                        • Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                        • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                        Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                        • _free.LIBCMT ref: 00444086
                                        • _free.LIBCMT ref: 0044409D
                                        • _free.LIBCMT ref: 004440BC
                                        • _free.LIBCMT ref: 004440D7
                                        • _free.LIBCMT ref: 004440EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$AllocateHeap
                                        • String ID: J7D
                                        • API String ID: 3033488037-1677391033
                                        • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                        • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                        • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                        • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                        Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                        • __fassign.LIBCMT ref: 0044A180
                                        • __fassign.LIBCMT ref: 0044A19B
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                        • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                        • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                        • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                        • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                        • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                        Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: HE$HE
                                        • API String ID: 269201875-1978648262
                                        • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                        • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                        • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                        • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                        Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                          • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                        • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                          • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                          • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                        • String ID: PgF
                                        • API String ID: 2180151492-654241383
                                        • Opcode ID: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                        • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                        • Opcode Fuzzy Hash: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                        • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                        Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                        • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                        • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                        • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                        • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                        • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                        Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                        • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                        • Opcode Fuzzy Hash: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                        • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                        Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                        • int.LIBCPMT ref: 0040FC0F
                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                        • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID: P[G
                                        • API String ID: 2536120697-571123470
                                        • Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                        • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                        • Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                        • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                        Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                        Strings
                                        • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleOpen$FileRead
                                        • String ID: http://geoplugin.net/json.gp
                                        • API String ID: 3121278467-91888290
                                        • Opcode ID: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                        • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                        • Opcode Fuzzy Hash: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                        • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                        Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                        • _free.LIBCMT ref: 0044FD29
                                          • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 0044FD34
                                        • _free.LIBCMT ref: 0044FD3F
                                        • _free.LIBCMT ref: 0044FD93
                                        • _free.LIBCMT ref: 0044FD9E
                                        • _free.LIBCMT ref: 0044FDA9
                                        • _free.LIBCMT ref: 0044FDB4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                        • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                        • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                        • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                        Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\ZeaS4nUxg4.exe), ref: 00406835
                                          • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                          • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                        • CoUninitialize.OLE32 ref: 0040688E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InitializeObjectUninitialize_wcslen
                                        • String ID: C:\Users\user\Desktop\ZeaS4nUxg4.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                        • API String ID: 3851391207-3594232010
                                        • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                        • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                        • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                        • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                        Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                        • int.LIBCPMT ref: 0040FEF2
                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                        • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID: H]G
                                        • API String ID: 2536120697-1717957184
                                        • Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                        • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                        • Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                        • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                        Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                        • GetLastError.KERNEL32 ref: 0040B2EE
                                        Strings
                                        • UserProfile, xrefs: 0040B2B4
                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                        • [Chrome Cookies not found], xrefs: 0040B308
                                        • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                        • API String ID: 2018770650-304995407
                                        • Opcode ID: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                        • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                        • Opcode Fuzzy Hash: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                        • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                        Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0+b$C:\Users\user\Desktop\ZeaS4nUxg4.exe$Rmc-I7G983
                                        • API String ID: 0-2719601902
                                        • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                        • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                        • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                        • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                        Function 004432E7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00443305
                                          • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 00443317
                                        • _free.LIBCMT ref: 0044332A
                                        • _free.LIBCMT ref: 0044333B
                                        • _free.LIBCMT ref: 0044334C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID: `3c
                                        • API String ID: 776569668-2537965536
                                        • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                        • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                        • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                        • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                        Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 00439789
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                        • __allrem.LIBCMT ref: 004397BC
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                        • __allrem.LIBCMT ref: 004397F1
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                        • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                        • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                        • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                        Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __cftoe
                                        • String ID:
                                        • API String ID: 4189289331-0
                                        • Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                        • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                        • Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                        • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                        Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16
                                        • String ID: a/p$am/pm
                                        • API String ID: 3509577899-3206640213
                                        • Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                        • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                        • Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                        • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                        Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 00403E8A
                                          • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: H_prologSleep
                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                        • API String ID: 3469354165-462540288
                                        • Opcode ID: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                        • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                        • Opcode Fuzzy Hash: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                        • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                        Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                        • String ID:
                                        • API String ID: 493672254-0
                                        • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                        • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                        • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                        • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                        Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                        • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                        • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                        • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                        • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                        Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                        • _free.LIBCMT ref: 00446EF6
                                        • _free.LIBCMT ref: 00446F1E
                                        • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                        • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                        • _abort.LIBCMT ref: 00446F3D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                        • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                        • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                        • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                        Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                        • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                        • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                        • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                        Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                        • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                        • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                        • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                        Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                        • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                        • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                        • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                        Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Enum$InfoQueryValue
                                        • String ID: [regsplt]$DG
                                        • API String ID: 3554306468-1089238109
                                        • Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                        • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                        • Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                        • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                        Function 004426D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ZeaS4nUxg4.exe,00000104), ref: 00442714
                                        • _free.LIBCMT ref: 004427DF
                                        • _free.LIBCMT ref: 004427E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\Desktop\ZeaS4nUxg4.exe$`&a
                                        • API String ID: 2506810119-1160073290
                                        • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                        • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                        • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                        • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                        Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                          • Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                        • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                          • Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                          • Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                        • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                        • API String ID: 2974294136-753205382
                                        • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                        • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                        • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                        • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                        Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                        • wsprintfW.USER32 ref: 0040A905
                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventLocalTimewsprintf
                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                        • API String ID: 1497725170-248792730
                                        • Opcode ID: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                        • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                        • Opcode Fuzzy Hash: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                        • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                        Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                        • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSizeSleep
                                        • String ID: `AG
                                        • API String ID: 1958988193-3058481221
                                        • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                        • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                        • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                        • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                        Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                        • GetLastError.KERNEL32 ref: 0041CA91
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ClassCreateErrorLastRegisterWindow
                                        • String ID: 0$MsgWindowClass
                                        • API String ID: 2877667751-2410386613
                                        • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                        • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                        • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                        • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                        Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                        • CloseHandle.KERNEL32(?), ref: 00406A0F
                                        • CloseHandle.KERNEL32(?), ref: 00406A14
                                        Strings
                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                        • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateProcess
                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                        • API String ID: 2922976086-4183131282
                                        • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                        • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                        • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                        • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                        Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                        • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                        • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                        • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                        Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,0040483F,00000001,?,?,00000000,00475B70,004017F3), ref: 00404AED
                                        • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404AF9
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404B04
                                        • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404B0D
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                        • String ID: KeepAlive | Disabled
                                        • API String ID: 2993684571-305739064
                                        • Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                        • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                        • Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                        • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                        Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                        • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                        • Sleep.KERNEL32(00002710), ref: 00419F79
                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                        • String ID: Alarm triggered
                                        • API String ID: 614609389-2816303416
                                        • Opcode ID: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                        • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                        • Opcode Fuzzy Hash: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                        • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                        Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                        Strings
                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                        • API String ID: 3024135584-2418719853
                                        • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                        • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                        • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                        • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                        Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                        • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                        • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                        • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                        Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                        • RtlAllocateHeap.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                        • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
                                        • String ID:
                                        • API String ID: 4001361727-0
                                        • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                        • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                        • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                        • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                        Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                        • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                        • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                        • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                        Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                        • __alloca_probe_16.LIBCMT ref: 0044FF58
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                        • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                        • __freea.LIBCMT ref: 0044FFC4
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                        • String ID:
                                        • API String ID: 313313983-0
                                        • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                        • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                        • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                        • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                        Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                        • _free.LIBCMT ref: 0044E1A0
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                        • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                        • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                        • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                        Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,00000000,00000000,0043A7C2,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F48
                                        • _free.LIBCMT ref: 00446F7D
                                        • _free.LIBCMT ref: 00446FA4
                                        • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                        • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                        • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                        • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                        • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                        Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpen$FileImageName
                                        • String ID:
                                        • API String ID: 2951400881-0
                                        • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                        • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                        • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                        • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                        Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0044F7B5
                                          • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 0044F7C7
                                        • _free.LIBCMT ref: 0044F7D9
                                        • _free.LIBCMT ref: 0044F7EB
                                        • _free.LIBCMT ref: 0044F7FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                        • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                        • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                        • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                        Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                        • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                        • IsWindowVisible.USER32(?), ref: 004167A1
                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessWindow$Open$TextThreadVisible
                                        • String ID: (FG
                                        • API String ID: 3142014140-2273637114
                                        • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                        • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                        • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                        • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                        Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strpbrk.LIBCMT ref: 0044D4A8
                                        • _free.LIBCMT ref: 0044D5C5
                                          • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,00401962,?,?,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                          • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                          • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                        • String ID: *?$.
                                        • API String ID: 2812119850-3972193922
                                        • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                        • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                        • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                        • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                        Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                          • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                        • String ID: XCG$`AG$>G
                                        • API String ID: 2334542088-2372832151
                                        • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                        • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                        • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                        • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                        Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                        • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                        • String ID: /sort "Visit Time" /stext "$8>G
                                        • API String ID: 368326130-2663660666
                                        • Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                        • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                        • Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                        • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                        Function 0044DCC8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • Part of subcall function 0044DDE7: _abort.LIBCMT ref: 0044DE19
                                          • Part of subcall function 0044DDE7: _free.LIBCMT ref: 0044DE4D
                                          • Part of subcall function 0044DA5C: GetOEMCP.KERNEL32(00000000,?,?,0044DCE5,?), ref: 0044DA87
                                        • _free.LIBCMT ref: 0044DD40
                                        • _free.LIBCMT ref: 0044DD76
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorLast_abort
                                        • String ID: `3c$`3c
                                        • API String ID: 2991157371-233917854
                                        • Opcode ID: 1c1e601d523f09ffc5791c958070a32dbad2633fea9a1d512da203678c683477
                                        • Instruction ID: 78e98af2e08dba5698695eadbe882f177ccac690bbf417dcf661007a8bbce0b0
                                        • Opcode Fuzzy Hash: 1c1e601d523f09ffc5791c958070a32dbad2633fea9a1d512da203678c683477
                                        • Instruction Fuzzy Hash: CE31E4B1D04108AFFB14EF69D441B9A77F4DF41324F25409FE9049B2A2EB799D41CB58
                                        Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                        • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                        • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTimewsprintf
                                        • String ID: Offline Keylogger Started
                                        • API String ID: 465354869-4114347211
                                        • Opcode ID: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                        • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                        • Opcode Fuzzy Hash: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                        • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                        Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                        • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                        • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTime$wsprintf
                                        • String ID: Online Keylogger Started
                                        • API String ID: 112202259-1258561607
                                        • Opcode ID: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                        • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                        • Opcode Fuzzy Hash: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                        • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                        Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                        • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                        • __dosmaperr.LIBCMT ref: 0044AAFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseErrorHandleLast__dosmaperr
                                        • String ID: `@
                                        • API String ID: 2583163307-951712118
                                        • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                        • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                        • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                        • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                        Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 00404946
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                        • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$EventLocalThreadTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 2532271599-1507639952
                                        • Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                        • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                        • Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                        • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                        Function 00419E89 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: TUF$alarm.wav$xIG
                                        • API String ID: 1174141254-2188790166
                                        • Opcode ID: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                        • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                        • Opcode Fuzzy Hash: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                        • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                        Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                        • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                        • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandleObjectSingleWait
                                        • String ID: Connection Timeout
                                        • API String ID: 2055531096-499159329
                                        • Opcode ID: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                        • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                        • Opcode Fuzzy Hash: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                        • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                        Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                          • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                          • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                        • String ID: bad locale name
                                        • API String ID: 3628047217-1405518554
                                        • Opcode ID: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                        • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                        • Opcode Fuzzy Hash: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                        • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                        Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                        • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                        • RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: Control Panel\Desktop
                                        • API String ID: 1818849710-27424756
                                        • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                        • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                        • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                        • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                        Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                        • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                        • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: TUF
                                        • API String ID: 1818849710-3431404234
                                        • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                        • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                        • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                        • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                        Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID: /C $cmd.exe$open
                                        • API String ID: 587946157-3896048727
                                        • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                        • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                        • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                        • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                        Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                        • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: GetCursorInfo$User32.dll
                                        • API String ID: 1646373207-2714051624
                                        • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                        • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                        • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                        • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                        Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                        • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetLastInputInfo$User32.dll
                                        • API String ID: 2574300362-1519888992
                                        • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                        • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                        • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                        • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                        Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                        • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                        • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                        • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                        Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                        • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                        • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                        • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                        Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                        • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 3360349984-0
                                        • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                        • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                        • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                        • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                        Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                        • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                        • API String ID: 3472027048-1236744412
                                        • Opcode ID: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                        • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                        • Opcode Fuzzy Hash: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                        • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                        Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                          • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                          • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                        • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQuerySleepValue
                                        • String ID: 0+b$@CG$exepath
                                        • API String ID: 4119054056-3448211839
                                        • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                        • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                        • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                        • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                        Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SystemTimes$Sleep__aulldiv
                                        • String ID:
                                        • API String ID: 188215759-0
                                        • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                        • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                        • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                        • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                        Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                          • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                          • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                        • Sleep.KERNEL32(000001F4), ref: 00409C95
                                        • Sleep.KERNEL32(00000064), ref: 00409D1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$ForegroundLength
                                        • String ID: [ $ ]
                                        • API String ID: 3309952895-93608704
                                        • Opcode ID: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                        • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                        • Opcode Fuzzy Hash: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                        • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                        Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                        • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                        • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointerWrite
                                        • String ID:
                                        • API String ID: 3604237281-0
                                        • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                        • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                        • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                        • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                        Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                        • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                        • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                        • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                        Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                        • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                        • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                        • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                        Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                          • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                          • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                        • _UnwindNestedFrames.LIBCMT ref: 00438124
                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                        • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                        • String ID:
                                        • API String ID: 737400349-0
                                        • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                        • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                        • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                        • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                        Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                        • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                        • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                        • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                        • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                        Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                        • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B647
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B66C
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B67A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 3919263394-0
                                        • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                        • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                        • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                        • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                        Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                        • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                        • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                        • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MetricsSystem
                                        • String ID:
                                        • API String ID: 4116985748-0
                                        • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                        • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                        • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                        • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                        Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                        • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                        • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                        • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                        Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountEventTick
                                        • String ID: >G
                                        • API String ID: 180926312-1296849874
                                        • Opcode ID: 8970c785a5fde0425d3bdd382a7839f198ae3ee3428ffa10454bc42c3a0da609
                                        • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                        • Opcode Fuzzy Hash: 8970c785a5fde0425d3bdd382a7839f198ae3ee3428ffa10454bc42c3a0da609
                                        • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                        Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Info
                                        • String ID: $fD
                                        • API String ID: 1807457897-3092946448
                                        • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                        • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                        • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                        • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                        Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                          • Part of subcall function 004177A2: 73B82440.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                          • Part of subcall function 00417815: 73B9EFB0.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                          • Part of subcall function 004177C5: 73BA5080.GDIPLUS(?,00417CCC), ref: 004177CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateStream$A5080B82440
                                        • String ID: image/jpeg
                                        • API String ID: 1779422830-3785015651
                                        • Opcode ID: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                        • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                        • Opcode Fuzzy Hash: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                        • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                        Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ACP$OCP
                                        • API String ID: 0-711371036
                                        • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                        • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                        • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                        • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                        Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                          • Part of subcall function 004177A2: 73B82440.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                          • Part of subcall function 00417815: 73B9EFB0.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                          • Part of subcall function 004177C5: 73BA5080.GDIPLUS(?,00417CCC), ref: 004177CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateStream$A5080B82440
                                        • String ID: image/png
                                        • API String ID: 1779422830-2966254431
                                        • Opcode ID: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
                                        • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                        • Opcode Fuzzy Hash: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
                                        • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                        Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 481472006-1507639952
                                        • Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                        • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                        • Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                        • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                        Function 004488F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 00448943
                                        • GetFileType.KERNEL32(00000000), ref: 00448955
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileHandleType
                                        • String ID: P?c
                                        • API String ID: 3000768030-530115964
                                        • Opcode ID: ccc95ea5b6d1fe52f093f2cf044264499b4e41becef1697495b2cca3fae492d0
                                        • Instruction ID: e72e3a163d38be5f7a7623f46eac45f8fe04114c14e2a7ad6025d4c7bfa50cde
                                        • Opcode Fuzzy Hash: ccc95ea5b6d1fe52f093f2cf044264499b4e41becef1697495b2cca3fae492d0
                                        • Instruction Fuzzy Hash: D41145B1508F524AE7304E3D8C8863BBA959756330B380B2FD5B6867F1CF28D886954B
                                        Function 0043AC30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: P?c
                                        • API String ID: 269201875-530115964
                                        • Opcode ID: ca01ae77a811ea6e1882d950de224612bd516a70c3fdde4a712b874a0400f1fb
                                        • Instruction ID: 8090df87744a04f370904591f18fafe20db4d8262e12f9b5c6200b5f8240d2d1
                                        • Opcode Fuzzy Hash: ca01ae77a811ea6e1882d950de224612bd516a70c3fdde4a712b874a0400f1fb
                                        • Instruction Fuzzy Hash: C111E671A4030147F7249F2DAC42F563298E755734F25222BF979EB6E0D778C892428E
                                        Function 004336EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: LG$XG
                                        • API String ID: 0-1482930923
                                        • Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                        • Instruction ID: b803d8f2fb0d60b71c32d24796bf113498d2ea24005d64aa96dbf80bf0db992b
                                        • Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                        • Instruction Fuzzy Hash: CE11A3B1D01654AACB20EFA998017CFB7A55F09725F14D06BED18EF281D3B9DB408B98
                                        Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: | $%02i:%02i:%02i:%03i
                                        • API String ID: 481472006-2430845779
                                        • Opcode ID: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                        • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                        • Opcode Fuzzy Hash: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                        • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                        Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: QueryValue
                                        • String ID: TUF
                                        • API String ID: 3660427363-3431404234
                                        • Opcode ID: 2be70043a86435350b90b87952262db18ad4980975878205d42ffe3fd59d1d5d
                                        • Instruction ID: 62a4949b47554db758ef5e9b715c6ec4cc130d120bf99ac1ec1555789b8052d8
                                        • Opcode Fuzzy Hash: 2be70043a86435350b90b87952262db18ad4980975878205d42ffe3fd59d1d5d
                                        • Instruction Fuzzy Hash: BC01A7B6A00108BFDB049B95DD46EFF7ABDDF44240F10007AF901E2251E6749F009664
                                        Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                        • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                        • String ID: Online Keylogger Stopped
                                        • API String ID: 1623830855-1496645233
                                        • Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                        • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                        • Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                        • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                        Function 00448763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00444ACC: RtlEnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                        • RtlDeleteCriticalSection.KERNEL32(?,?,?,?,?,0046DCA8,00000010,0043AD15), ref: 004487C5
                                        • _free.LIBCMT ref: 004487D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalSection$DeleteEnter_free
                                        • String ID: P?c
                                        • API String ID: 1836352639-530115964
                                        • Opcode ID: 70fd0d90dafa84e5954845fa7c0139c51f18b2004160b2b9a8cec1cc6ebfe676
                                        • Instruction ID: 80ff6b1ebb5c52940da2afcd5602a1ef1f033d169bf7bf1965dfa6e3099da3c5
                                        • Opcode Fuzzy Hash: 70fd0d90dafa84e5954845fa7c0139c51f18b2004160b2b9a8cec1cc6ebfe676
                                        • Instruction Fuzzy Hash: 6E1179359002059FE724DF99D842B5C73B0EB08729F25415AE865AB2B2CB38E8828B0D
                                        Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • waveInPrepareHeader.WINMM(0062D720,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                        • waveInAddBuffer.WINMM(0062D720,00000020,?,00000000,00401913), ref: 0040175D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferHeaderPrepare
                                        • String ID: T=G
                                        • API String ID: 2315374483-379896819
                                        • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                        • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                        • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                        • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                        Function 0044DDE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • _abort.LIBCMT ref: 0044DE19
                                        • _free.LIBCMT ref: 0044DE4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast_abort_free
                                        • String ID: `3c
                                        • API String ID: 289325740-2537965536
                                        • Opcode ID: cba5e3b893efa1f4c196fd8b6ab646112b65b39245522f8e75cb99aab8fd3b38
                                        • Instruction ID: 263febff8c983af4c5f1177bd945a1efbcaaba8aa324727b7c5e6bdf69b19c8f
                                        • Opcode Fuzzy Hash: cba5e3b893efa1f4c196fd8b6ab646112b65b39245522f8e75cb99aab8fd3b38
                                        • Instruction Fuzzy Hash: A00152B1D02A21DBEB71AF69840125EB360AF58B51B65411BE954AB382C7386941CFCE
                                        Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocaleValid
                                        • String ID: IsValidLocaleName$j=D
                                        • API String ID: 1901932003-3128777819
                                        • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                        • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                        • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                        • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                        Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: T=G$T=G
                                        • API String ID: 3519838083-3732185208
                                        • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                        • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                        • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                        • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                        Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000011), ref: 0040AD5B
                                          • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                          • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                          • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                          • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                          • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                        • String ID: [AltL]$[AltR]
                                        • API String ID: 2738857842-2658077756
                                        • Opcode ID: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                        • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                        • Opcode Fuzzy Hash: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                        • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                        Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00448825
                                          • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorFreeHeapLast_free
                                        • String ID: `@$`@
                                        • API String ID: 1353095263-20545824
                                        • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                        • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                        • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                        • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                        Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000012), ref: 0040ADB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State
                                        • String ID: [CtrlL]$[CtrlR]
                                        • API String ID: 1649606143-2446555240
                                        • Opcode ID: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                        • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                        • Opcode Fuzzy Hash: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                        • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                        Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C33C,00000000,?,00000000), ref: 00412988
                                        • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00412998
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteOpenValue
                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                        • API String ID: 2654517830-1051519024
                                        • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                        • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                        • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                        • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                        Function 0043AD08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448763: RtlDeleteCriticalSection.KERNEL32(?,?,?,?,?,0046DCA8,00000010,0043AD15), ref: 004487C5
                                          • Part of subcall function 00448763: _free.LIBCMT ref: 004487D3
                                          • Part of subcall function 00448803: _free.LIBCMT ref: 00448825
                                        • RtlDeleteCriticalSection.KERNEL32(00633F30), ref: 0043AD31
                                        • _free.LIBCMT ref: 0043AD45
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$CriticalDeleteSection
                                        • String ID: P?c
                                        • API String ID: 1906768660-530115964
                                        • Opcode ID: 105ba6d038f868bf5ead38a2174c8304849bb37afa14ec3855613d5ccb5e7185
                                        • Instruction ID: c0f14a4ae43bd4c9a132c894413e2ce2621f066976e8a01f329b24b3578183a2
                                        • Opcode Fuzzy Hash: 105ba6d038f868bf5ead38a2174c8304849bb37afa14ec3855613d5ccb5e7185
                                        • Instruction Fuzzy Hash: 3EE0D832C042108BF7247B5DFC469493398DB49725B13006EF81873171CA246CD1864D
                                        Function 0044E0EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CommandLine
                                        • String ID: `&a
                                        • API String ID: 3253501508-1325252824
                                        • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                        • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                        • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                        • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                        Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                        • GetLastError.KERNEL32 ref: 0043FB02
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2037632111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2037618666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037664943.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037684260.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2037796010.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZeaS4nUxg4.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                        • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                        • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                        • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759